Update DEBUG* invocations to use new levels

Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:

grep -rl --include '*.[hc]' DEBUG . |
    while read f; do
        mv "$f"{,.orig}
        perl -e 'use strict;
                 use File::Slurp;
                 my @map=qw"
                    SSSDBG_FATAL_FAILURE
                    SSSDBG_CRIT_FAILURE
                    SSSDBG_OP_FAILURE
                    SSSDBG_MINOR_FAILURE
                    SSSDBG_CONF_SETTINGS
                    SSSDBG_FUNC_DATA
                    SSSDBG_TRACE_FUNC
                    SSSDBG_TRACE_LIBS
                    SSSDBG_TRACE_INTERNAL
                    SSSDBG_TRACE_ALL
                 ";
                 my $text=read_file(\*STDIN);
                 my $repl;
                 $text=~s/
                            ^
                            (
                                .*
                                \b
                                (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
                                \s*
                                \(\s*
                            )(
                                [0-9]
                            )(
                                \s*,
                            )
                            (
                                \s*
                            )
                            (
                                .*
                            )
                            $
                         /
                            $repl = $1.$map[$3].$4.$5.$6,
                            length($repl) <= 80
                                ? $repl
                                : $1.$map[$3].$4."\n".(" " x length($1)).$6
                         /xmge;
                 print $text;
        ' < "$f.orig" > "$f"
        rm "$f.orig"
    done

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

20 files changed, 834 insertions, 607 deletions

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index b9105a144..2a7d06ca2 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -62,13 +62,13 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
     uint32_t *data;
 
     if (exp_time < 0 || exp_time > UINT32_MAX) {
-        DEBUG(1, "Time to expire out of range.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Time to expire out of range.\n");
         return EINVAL;
     }
 
     data = talloc_array(pd, uint32_t, 2);
     if (data == NULL) {
-        DEBUG(1, "talloc_size failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
         return ENOMEM;
     }
 
@@ -78,7 +78,7 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
     ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t),
                            (uint8_t *) data);
     if (ret != EOK) {
-        DEBUG(1, "pam_add_response failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
     }
 
     return EOK;
@@ -98,18 +98,21 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
 
     end = strptime(expire_date, "%Y%m%d%H%M%SZ", &tm);
     if (end == NULL) {
-        DEBUG(1, "Kerberos expire date [%s] invalid.\n", expire_date);
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Kerberos expire date [%s] invalid.\n", expire_date);
         return EINVAL;
     }
     if (*end != '\0') {
-        DEBUG(1, "Kerberos expire date [%s] contains extra characters.\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Kerberos expire date [%s] contains extra characters.\n",
                   expire_date);
         return EINVAL;
     }
 
     expire_time = mktime(&tm);
     if (expire_time == -1) {
-        DEBUG(1, "mktime failed to convert [%s].\n", expire_date);
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "mktime failed to convert [%s].\n", expire_date);
         return EINVAL;
     }
 
@@ -121,7 +124,7 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
            tzname[1], timezone, daylight, now, expire_time);
 
     if (difftime(now, expire_time) > 0.0) {
-        DEBUG(4, "Kerberos password expired.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n");
         ret = ERR_PASSWORD_EXPIRED;
     } else {
         if (pwd_exp_warning >= 0) {
@@ -134,7 +137,7 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
             expiration_warning == 0)) {
             ret = add_expired_warning(pd, (long) difftime(expire_time, now));
             if (ret != EOK) {
-                DEBUG(1, "add_expired_warning failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n");
             }
         }
         ret = EOK;
@@ -152,14 +155,16 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
     int ret;
 
     if (spwd->sp_lstchg <= 0) {
-        DEBUG(4, "Last change day is not set, new password needed.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Last change day is not set, new password needed.\n");
         return ERR_PASSWORD_EXPIRED;
     }
 
     today = (long) (now / (60 * 60 *24));
     password_age = today - spwd->sp_lstchg;
     if (password_age < 0) {
-        DEBUG(2, "The last password change time is in the future!.\n");
+        DEBUG(SSSDBG_OP_FAILURE,
+              "The last password change time is in the future!.\n");
         return EOK;
     }
 
@@ -167,12 +172,12 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
         (spwd->sp_max != -1 && spwd->sp_inact != -1 &&
          password_age > spwd->sp_max + spwd->sp_inact))
     {
-        DEBUG(4, "Account expired.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "Account expired.\n");
         return ERR_ACCOUNT_EXPIRED;
     }
 
     if (spwd->sp_max != -1 && password_age > spwd->sp_max) {
-        DEBUG(4, "Password expired.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "Password expired.\n");
         return ERR_PASSWORD_EXPIRED;
     }
 
@@ -188,7 +193,7 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
 
         ret = add_expired_warning(pd, exp);
         if (ret != EOK) {
-            DEBUG(1, "add_expired_warning failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n");
         }
     }
 
@@ -211,7 +216,7 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
 
         data = talloc_size(pd, 2* sizeof(uint32_t));
         if (data == NULL) {
-            DEBUG(1, "talloc_size failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
             return ENOMEM;
         }
 
@@ -235,7 +240,7 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
         ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2* sizeof(uint32_t),
                                (uint8_t*)data);
         if (ret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
     }
 
@@ -259,23 +264,24 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
 
     pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY);
     if (pwd_policy == NULL) {
-        DEBUG(1, "Missing password policy.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Missing password policy.\n");
         return EINVAL;
     }
 
     if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) {
-        DEBUG(9, "No password policy requested.\n");
+        DEBUG(SSSDBG_TRACE_ALL, "No password policy requested.\n");
         return EOK;
     } else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) {
         mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);
         if (mark != NULL) {
-            DEBUG(9, "Found Kerberos password expiration attributes.\n");
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "Found Kerberos password expiration attributes.\n");
             val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,
                                               NULL);
             if (val != NULL) {
                 *data = talloc_strdup(mem_ctx, val);
                 if (*data == NULL) {
-                    DEBUG(1, "talloc_strdup failed.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
                     return ENOMEM;
                 }
                 *type = PWEXPIRE_KERBEROS;
@@ -283,7 +289,8 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
                 return EOK;
             }
         } else {
-            DEBUG(1, "No Kerberos password expiration attributes found, "
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "No Kerberos password expiration attributes found, "
                       "but MIT Kerberos password policy was requested. "
                       "Access will be denied.\n");
             return EACCES;
@@ -291,10 +298,11 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
     } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
         mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
         if (mark != NULL) {
-            DEBUG(9, "Found shadow password expiration attributes.\n");
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "Found shadow password expiration attributes.\n");
             spwd = talloc_zero(mem_ctx, struct spwd);
             if (spwd == NULL) {
-                DEBUG(1, "talloc failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
                 return ENOMEM;
             }
 
@@ -327,14 +335,14 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
 
             return EOK;
         } else {
-            DEBUG(1, "No shadow password attributes found, "
+            DEBUG(SSSDBG_CRIT_FAILURE, "No shadow password attributes found, "
                       "but shadow password policy was requested. "
                       "Access will be denied.\n");
             return EACCES;
         }
     }
 
-    DEBUG(9, "No password expiration attributes found.\n");
+    DEBUG(SSSDBG_TRACE_ALL, "No password expiration attributes found.\n");
     return EOK;
 
 shadow_fail:
@@ -555,12 +563,14 @@ static int get_user_dn(TALLOC_CTX *memctx,
                                                   &pw_expire_type,
                                                   &pw_expire_data);
         if (ret != EOK) {
-            DEBUG(1, "find_password_expiration_attributes failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "find_password_expiration_attributes failed.\n");
         }
         break;
 
     default:
-        DEBUG(1, "User search by name (%s) returned > 1 results!\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "User search by name (%s) returned > 1 results!\n",
                   username);
         ret = EFAULT;
         break;
@@ -660,7 +670,7 @@ static struct tevent_req *auth_get_server(struct tevent_req *req)
                                       state->sdap_service->name,
                                       state->srv == NULL ? true : false);
     if (!next_req) {
-        DEBUG(1, "be_resolve_server_send failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");
         return NULL;
     }
 
@@ -688,7 +698,8 @@ static void auth_resolve_done(struct tevent_req *subreq)
 
     /* Determine whether we need to use TLS */
     if (sdap_is_secure_uri(state->ctx->service->uri)) {
-        DEBUG(8, "[%s] is a secure channel. No need to run START_TLS\n",
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "[%s] is a secure channel. No need to run START_TLS\n",
                   state->ctx->service->uri);
         use_tls = false;
     } else {
@@ -815,7 +826,7 @@ static void auth_bind_user_done(struct tevent_req *subreq)
     ret = sdap_auth_recv(subreq, state, &ppolicy);
     talloc_zfree(subreq);
     if (ppolicy != NULL) {
-        DEBUG(9,"Found ppolicy data, "
+        DEBUG(SSSDBG_TRACE_ALL,"Found ppolicy data, "
                  "assuming LDAP password policies are active.\n");
         state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY;
         state->pw_expire_data = ppolicy;
@@ -893,7 +904,8 @@ void sdap_pam_chpass_handler(struct be_req *breq)
     pd = talloc_get_type(be_req_get_data(breq), struct pam_data);
 
     if (be_is_offline(ctx->be)) {
-        DEBUG(4, "Backend is marked offline, retry later!\n");
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Backend is marked offline, retry later!\n");
         pd->pam_status = PAM_AUTHINFO_UNAVAIL;
         dp_err = DP_ERR_OFFLINE;
         goto done;
@@ -901,18 +913,21 @@ void sdap_pam_chpass_handler(struct be_req *breq)
 
     if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) &&
         (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
-        DEBUG(4, "Password reset by root is not supported.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Password reset by root is not supported.\n");
         pd->pam_status = PAM_PERM_DENIED;
         dp_err = DP_ERR_OK;
         goto done;
     }
 
-    DEBUG(2, "starting password change request for user [%s].\n", pd->user);
+    DEBUG(SSSDBG_OP_FAILURE,
+          "starting password change request for user [%s].\n", pd->user);
 
     pd->pam_status = PAM_SYSTEM_ERR;
 
     if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
-        DEBUG(2, "chpass target was called by wrong pam command.\n");
+        DEBUG(SSSDBG_OP_FAILURE,
+              "chpass target was called by wrong pam command.\n");
         goto done;
     }
 
@@ -954,7 +969,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
     talloc_zfree(req);
     if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
         state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
-        DEBUG(9, "Initial authentication for change password operation "
+        DEBUG(SSSDBG_TRACE_ALL,
+              "Initial authentication for change password operation "
                   "successful.\n");
         state->pd->pam_status = PAM_SUCCESS;
         dp_err = DP_ERR_OK;
@@ -971,7 +987,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
                                           be_ctx->domain->pwd_expiration_warning);
 
             if (ret == ERR_PASSWORD_EXPIRED) {
-                DEBUG(1, "LDAP provider cannot change kerberos "
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "LDAP provider cannot change kerberos "
                           "passwords.\n");
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
@@ -981,7 +998,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
         case PWEXPIRE_NONE:
             break;
         default:
-            DEBUG(1, "Unknow pasword expiration type.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unknow pasword expiration type.\n");
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
         }
@@ -990,10 +1007,12 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
     switch (ret) {
     case EOK:
     case ERR_PASSWORD_EXPIRED:
-        DEBUG(7, "user [%s] successfully authenticated.\n", state->dn);
+        DEBUG(SSSDBG_TRACE_LIBS,
+              "user [%s] successfully authenticated.\n", state->dn);
         if (pw_expire_type == PWEXPIRE_SHADOW) {
 /* TODO: implement async ldap modify request */
-            DEBUG(1, "Changing shadow password attributes not implemented.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Changing shadow password attributes not implemented.\n");
             state->pd->pam_status = PAM_MODULE_UNKNOWN;
             goto done;
         } else {
@@ -1017,7 +1036,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
                                                   state->sh, state->dn,
                                                   password, new_password);
             if (!subreq) {
-                DEBUG(2, "Failed to change password for %s\n", state->username);
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "Failed to change password for %s\n", state->username);
                 goto done;
             }
             tevent_req_set_callback(subreq, sdap_pam_chpass_done, state);
@@ -1091,12 +1111,12 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
         ret = pack_user_info_chpass_error(state->pd, user_error_message,
                                             &msg_len, &msg);
         if (ret != EOK) {
-            DEBUG(1, "pack_user_info_chpass_error failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pack_user_info_chpass_error failed.\n");
         } else {
             ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
                                     msg);
             if (ret != EOK) {
-                DEBUG(1, "pam_add_response failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
             }
         }
     }
@@ -1165,7 +1185,8 @@ void sdap_pam_auth_handler(struct be_req *breq)
     pd = talloc_get_type(be_req_get_data(breq), struct pam_data);
 
     if (be_is_offline(ctx->be)) {
-        DEBUG(4, "Backend is marked offline, retry later!\n");
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Backend is marked offline, retry later!\n");
         pd->pam_status = PAM_AUTHINFO_UNAVAIL;
         dp_err = DP_ERR_OFFLINE;
         goto done;
@@ -1230,7 +1251,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
         case PWEXPIRE_SHADOW:
             ret = check_pwexpire_shadow(pw_expire_data, time(NULL), state->pd);
             if (ret != EOK) {
-                DEBUG(1, "check_pwexpire_shadow failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "check_pwexpire_shadow failed.\n");
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
             }
@@ -1240,7 +1261,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
                                           state->pd,
                                           be_ctx->domain->pwd_expiration_warning);
             if (ret != EOK) {
-                DEBUG(1, "check_pwexpire_kerberos failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "check_pwexpire_kerberos failed.\n");
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
             }
@@ -1249,7 +1270,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
             ret = check_pwexpire_ldap(state->pd, pw_expire_data,
                                       be_ctx->domain->pwd_expiration_warning);
             if (ret != EOK) {
-                DEBUG(1, "check_pwexpire_ldap failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "check_pwexpire_ldap failed.\n");
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
             }
@@ -1257,7 +1278,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
         case PWEXPIRE_NONE:
             break;
         default:
-            DEBUG(1, "Unknow pasword expiration type.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unknow pasword expiration type.\n");
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
         }
@@ -1304,10 +1325,10 @@ static void sdap_pam_auth_done(struct tevent_req *req)
 
         /* password caching failures are not fatal errors */
         if (ret != EOK) {
-            DEBUG(2, "Failed to cache password for %s\n",
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password for %s\n",
                       state->pd->user);
         } else {
-            DEBUG(4, "Password successfully cached for %s\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Password successfully cached for %s\n",
                       state->pd->user);
         }
     }
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 7c60c0f73..34f23ec80 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -255,7 +255,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
 
     krberr = krb5_parse_name(context, full_princ, &kprinc);
     if (krberr) {
-        DEBUG(2, "Unable to build principal: %s\n",
+        DEBUG(SSSDBG_OP_FAILURE, "Unable to build principal: %s\n",
                   sss_krb5_get_error_message(context, krberr));
         goto done;
     }
@@ -405,7 +405,7 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
     }
 
     if (ret != EOK) {
-        DEBUG(1, "pack_buffer failed\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "pack_buffer failed\n");
         return ret;
     }
 
@@ -485,13 +485,13 @@ int main(int argc, const char *argv[])
 
     buf = talloc_size(main_ctx, sizeof(uint8_t)*IN_BUF_SIZE);
     if (buf == NULL) {
-        DEBUG(1, "talloc_size failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
         goto fail;
     }
 
     ibuf = talloc_zero(main_ctx, struct input_buffer);
     if (ibuf == NULL) {
-        DEBUG(1, "talloc_size failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
         goto fail;
     }
 
@@ -509,7 +509,8 @@ int main(int argc, const char *argv[])
 
     ret = unpack_buffer(buf, len, ibuf);
     if (ret != EOK) {
-        DEBUG(1, "unpack_buffer failed.[%d][%s].\n", ret, strerror(ret));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "unpack_buffer failed.[%d][%s].\n", ret, strerror(ret));
         goto fail;
     }
 
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 890e7a4a4..7d52e739a 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -272,14 +272,15 @@ int ldap_get_options(TALLOC_CTX *memctx,
                 if (ret != EOK) {
                     goto done;
                 }
-                DEBUG(6, "Option %s set to %s\n",
+                DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n",
                           opts->basic[search_base_options[o]].opt_name,
                           dp_opt_get_string(opts->basic,
                                             search_base_options[o]));
             }
         }
     } else {
-        DEBUG(5, "Search base not set, trying to discover it later when "
+        DEBUG(SSSDBG_FUNC_DATA,
+              "Search base not set, trying to discover it later when "
                   "connecting to the LDAP server.\n");
     }
 
@@ -315,14 +316,16 @@ int ldap_get_options(TALLOC_CTX *memctx,
 
     pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY);
     if (pwd_policy == NULL) {
-        DEBUG(1, "Missing password policy, this may not happen.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Missing password policy, this may not happen.\n");
         ret = EINVAL;
         goto done;
     }
     if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) != 0 &&
         strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) != 0 &&
         strcasecmp(pwd_policy, PWD_POL_OPT_MIT) != 0) {
-        DEBUG(1, "Unsupported password policy [%s].\n", pwd_policy);
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Unsupported password policy [%s].\n", pwd_policy);
         ret = EINVAL;
         goto done;
     }
@@ -332,7 +335,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
                          CONFDB_PAM_CRED_TIMEOUT, 0,
                          &offline_credentials_expiration);
     if (ret != EOK) {
-        DEBUG(1, "Cannot get value of %s from confdb \n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get value of %s from confdb \n",
                   CONFDB_PAM_CRED_TIMEOUT);
         goto done;
     }
@@ -349,7 +352,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
      * entries must not be purged from cache.
      */
     if (!offline_credentials_expiration && account_cache_expiration) {
-        DEBUG(1, "Conflicting values for options %s (unlimited) "
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Conflicting values for options %s (unlimited) "
                   "and %s (%d)\n",
                   opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,
                   CONFDB_PAM_CRED_TIMEOUT,
@@ -359,7 +363,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
     }
     if (offline_credentials_expiration && account_cache_expiration &&
         offline_credentials_expiration > account_cache_expiration) {
-        DEBUG(1, "Value of %s (now %d) must be larger "
+        DEBUG(SSSDBG_CRIT_FAILURE, "Value of %s (now %d) must be larger "
                   "than value of %s (now %d)\n",
                   opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,
                   account_cache_expiration,
@@ -373,7 +377,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
     if (ldap_deref != NULL) {
         ret = deref_string_to_val(ldap_deref, &ldap_deref_val);
         if (ret != EOK) {
-            DEBUG(1, "Failed to verify ldap_deref option.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to verify ldap_deref option.\n");
             goto done;
         }
     }
@@ -383,7 +387,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
 
     ldap_referrals = dp_opt_get_bool(opts->basic, SDAP_REFERRALS);
     if (ldap_referrals) {
-        DEBUG(1, "LDAP referrals are not supported, because the LDAP library "
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "LDAP referrals are not supported, because the LDAP library "
                   "is too old, see sssd-ldap(5) for details.\n");
         ret = dp_opt_set_bool(opts->basic, SDAP_REFERRALS, false);
     }
@@ -423,7 +428,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
         default_netgroup_map = netgroup_map;
         default_service_map = service_map;
     } else {
-        DEBUG(0, "Unrecognized schema type: %s\n", schema);
+        DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized schema type: %s\n", schema);
         ret = EINVAL;
         goto done;
     }
@@ -472,26 +477,26 @@ int ldap_get_options(TALLOC_CTX *memctx,
     /* FIXME - this can be removed in a future version */
     ret = krb5_try_kdcip(cdb, conf_path, opts->basic, SDAP_KRB5_KDC);
     if (ret != EOK) {
-        DEBUG(1, "sss_krb5_try_kdcip failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_try_kdcip failed.\n");
         goto done;
     }
 
     authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE);
     if (authtok_type != NULL &&
         strcasecmp(authtok_type,"obfuscated_password") == 0) {
-        DEBUG(9, "Found obfuscated password, "
+        DEBUG(SSSDBG_TRACE_ALL, "Found obfuscated password, "
                   "trying to convert to cleartext.\n");
 
         authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK);
         if (authtok_blob.data == NULL || authtok_blob.length == 0) {
-            DEBUG(1, "Missing obfuscated password string.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Missing obfuscated password string.\n");
             return EINVAL;
         }
 
         ret = sss_password_decrypt(memctx, (char *) authtok_blob.data,
                                    &cleartext);
         if (ret != EOK) {
-            DEBUG(1, "Cannot convert the obfuscated "
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot convert the obfuscated "
                       "password back to cleartext\n");
             return ret;
         }
@@ -501,14 +506,14 @@ int ldap_get_options(TALLOC_CTX *memctx,
         ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob);
         talloc_free(cleartext);
         if (ret != EOK) {
-            DEBUG(1, "dp_opt_set_string failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n");
             return ret;
         }
 
         ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE,
                                 "password");
         if (ret != EOK) {
-            DEBUG(1, "dp_opt_set_string failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n");
             return ret;
         }
     }
@@ -1030,7 +1035,7 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
-        DEBUG(1, "talloc_new failed\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed\n");
         return;
     }
 
@@ -1044,7 +1049,8 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
 
     srvaddr = fo_get_server_hostent(server);
     if (!srvaddr) {
-        DEBUG(1, "FATAL: No hostent available for server (%s)\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "FATAL: No hostent available for server (%s)\n",
                   fo_get_server_str_name(server));
         talloc_free(tmp_ctx);
         return;
@@ -1053,20 +1059,20 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
     sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr,
                                            fo_get_server_port(server));
     if (sockaddr == NULL) {
-        DEBUG(1, "resolv_get_sockaddr_address failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
         talloc_free(tmp_ctx);
         return;
     }
 
     if (fo_is_srv_lookup(server)) {
         if (!tmp) {
-            DEBUG(1, "Unknown service, using ldap\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unknown service, using ldap\n");
             tmp = SSS_LDAP_SRV_NAME;
         }
 
         srv_name = fo_get_server_name(server);
         if (srv_name == NULL) {
-            DEBUG(1, "Could not get server host name\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Could not get server host name\n");
             talloc_free(tmp_ctx);
             return;
         }
@@ -1079,12 +1085,12 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server)
     }
 
     if (!new_uri) {
-        DEBUG(2, "Failed to copy URI ...\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to copy URI ...\n");
         talloc_free(tmp_ctx);
         return;
     }
 
-    DEBUG(6, "Constructed uri '%s'\n", new_uri);
+    DEBUG(SSSDBG_TRACE_FUNC, "Constructed uri '%s'\n", new_uri);
 
     /* free old one and replace with new one */
     talloc_zfree(service->uri);
@@ -1106,7 +1112,7 @@ static void sdap_finalize(struct tevent_context *ev,
 
     ret = remove_krb5_info_files(se, realm);
     if (ret != EOK) {
-        DEBUG(1, "remove_krb5_info_files failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "remove_krb5_info_files failed.\n");
     }
 
     orderly_shutdown(0);
@@ -1123,14 +1129,14 @@ errno_t sdap_install_sigterm_handler(TALLOC_CTX *mem_ctx,
 
     sig_realm = talloc_strdup(mem_ctx, realm);
     if (sig_realm == NULL) {
-        DEBUG(1, "talloc_strdup failed!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
         return ENOMEM;
     }
 
     sige = tevent_add_signal(ev, mem_ctx, SIGTERM, SA_SIGINFO, sdap_finalize,
                              sig_realm);
     if (sige == NULL) {
-        DEBUG(1, "tevent_add_signal failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n");
         talloc_free(sig_realm);
         return ENOMEM;
     }
@@ -1149,7 +1155,8 @@ void sdap_remove_kdcinfo_files_callback(void *pvt)
     ret = be_fo_run_callbacks_at_next_request(ctx->be_ctx,
                                               ctx->kdc_service_name);
     if (ret != EOK) {
-        DEBUG(1, "be_fo_run_callbacks_at_next_request failed, "
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "be_fo_run_callbacks_at_next_request failed, "
                   "krb5 info files will not be removed, because "
                   "it is unclear if they will be recreated properly.\n");
         return;
@@ -1157,13 +1164,14 @@ void sdap_remove_kdcinfo_files_callback(void *pvt)
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
-        DEBUG(1, "talloc_new failed, cannot remove krb5 info files.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "talloc_new failed, cannot remove krb5 info files.\n");
         return;
     }
 
     ret = remove_krb5_info_files(tmp_ctx, ctx->realm);
     if (ret != EOK) {
-        DEBUG(1, "remove_krb5_info_files failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "remove_krb5_info_files failed.\n");
     }
 
     talloc_zfree(tmp_ctx);
@@ -1180,7 +1188,7 @@ errno_t sdap_install_offline_callback(TALLOC_CTX *mem_ctx,
 
     ctx = talloc_zero(mem_ctx, struct remove_info_files_ctx);
     if (ctx == NULL) {
-        DEBUG(1, "talloc_zfree failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zfree failed.\n");
         return ENOMEM;
     }
 
@@ -1188,7 +1196,7 @@ errno_t sdap_install_offline_callback(TALLOC_CTX *mem_ctx,
     ctx->realm = talloc_strdup(ctx, realm);
     ctx->kdc_service_name = talloc_strdup(ctx, service_name);
     if (ctx->realm == NULL || ctx->kdc_service_name == NULL) {
-        DEBUG(1, "talloc_strdup failed!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
         ret = ENOMEM;
         goto done;
     }
@@ -1197,7 +1205,7 @@ errno_t sdap_install_offline_callback(TALLOC_CTX *mem_ctx,
                             sdap_remove_kdcinfo_files_callback,
                             ctx, NULL);
     if (ret != EOK) {
-        DEBUG(1, "be_add_offline_cb failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "be_add_offline_cb failed.\n");
         goto done;
     }
 
@@ -1307,13 +1315,13 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
 
     krberr = krb5_init_context(&context);
     if (krberr) {
-        DEBUG(2, "Failed to init kerberos context\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
         goto done;
     }
 
     krberr = krb5_get_default_realm(context, &krb5_realm);
     if (krberr) {
-        DEBUG(2, "Failed to get default realm name: %s\n",
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n",
                   sss_krb5_get_error_message(context, krberr));
         goto done;
     }
@@ -1321,11 +1329,11 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
     realm = talloc_strdup(mem_ctx, krb5_realm);
     krb5_free_default_realm(context, krb5_realm);
     if (!realm) {
-        DEBUG(0, "Out of memory\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n");
         goto done;
     }
 
-    DEBUG(7, "Will use default realm %s\n", realm);
+    DEBUG(SSSDBG_TRACE_LIBS, "Will use default realm %s\n", realm);
 done:
     if (context) krb5_free_context(context);
     return realm;
@@ -1353,10 +1361,12 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
 
     krb5_opt_realm = dp_opt_get_string(opts, SDAP_KRB5_REALM);
     if (krb5_opt_realm == NULL) {
-        DEBUG(2, "Missing krb5_realm option, will use libkrb default\n");
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Missing krb5_realm option, will use libkrb default\n");
         krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx);
         if (krb5_realm == NULL) {
-            DEBUG(0, "Cannot determine the Kerberos realm, aborting\n");
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Cannot determine the Kerberos realm, aborting\n");
             ret = EIO;
             goto done;
         }
@@ -1375,20 +1385,20 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
                                             SDAP_KRB5_USE_KDCINFO),
                             &service);
     if (ret != EOK) {
-        DEBUG(0, "Failed to init KRB5 failover service!\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init KRB5 failover service!\n");
         goto done;
     }
 
     ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm);
     if (ret != EOK) {
-        DEBUG(0, "Failed to install sigterm handler\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
         goto done;
     }
 
     ret = sdap_install_offline_callback(mem_ctx, bectx,
                                         krb5_realm, SSS_KRB5KDC_FO_SRV);
     if (ret != EOK) {
-        DEBUG(0, "Failed to install sigterm handler\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
         goto done;
     }
 
@@ -1430,7 +1440,7 @@ static errno_t _sdap_urls_init(struct be_ctx *ctx,
     /* split server parm into a list */
     ret = split_on_separator(tmp_ctx, urls, ',', true, true, &list, NULL);
     if (ret != EOK) {
-        DEBUG(1, "Failed to parse server list!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n");
         goto done;
     }
 
@@ -1446,7 +1456,8 @@ static errno_t _sdap_urls_init(struct be_ctx *ctx,
             }
 
             if (!dns_service_name) {
-                DEBUG(0, "Missing DNS service name for service [%s].\n",
+                DEBUG(SSSDBG_FATAL_FAILURE,
+                      "Missing DNS service name for service [%s].\n",
                           service_name);
                 ret = EINVAL;
                 goto done;
@@ -1461,29 +1472,31 @@ static errno_t _sdap_urls_init(struct be_ctx *ctx,
                                        dns_service_name, NULL,
                                        BE_FO_PROTO_TCP, false, srv_user_data);
             if (ret) {
-                DEBUG(0, "Failed to add server\n");
+                DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n");
                 goto done;
             }
 
-            DEBUG(6, "Added service lookup\n");
+            DEBUG(SSSDBG_TRACE_FUNC, "Added service lookup\n");
             continue;
         }
 
         ret = ldap_url_parse(list[i], &lud);
         if (ret != LDAP_SUCCESS) {
-            DEBUG(0, "Failed to parse ldap URI (%s)!\n", list[i]);
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Failed to parse ldap URI (%s)!\n", list[i]);
             ret = EINVAL;
             goto done;
         }
 
         if (lud->lud_host == NULL) {
-            DEBUG(2, "The LDAP URI (%s) did not contain a host name\n",
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "The LDAP URI (%s) did not contain a host name\n",
                       list[i]);
             ldap_free_urldesc(lud);
             continue;
         }
 
-        DEBUG(6, "Added URI %s\n", list[i]);
+        DEBUG(SSSDBG_TRACE_FUNC, "Added URI %s\n", list[i]);
 
         talloc_steal(service, list[i]);
 
@@ -1613,12 +1626,13 @@ errno_t string_to_shadowpw_days(const char *s, long *d)
     errno = 0;
     l = strtol(s, &endptr, 10);
     if (errno != 0) {
-        DEBUG(1, "strtol failed [%d][%s].\n", errno, strerror(errno));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "strtol failed [%d][%s].\n", errno, strerror(errno));
         return errno;
     }
 
     if (*endptr != '\0') {
-        DEBUG(1, "Input string [%s] is invalid.\n", s);
+        DEBUG(SSSDBG_CRIT_FAILURE, "Input string [%s] is invalid.\n", s);
         return EINVAL;
     }
 
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 7a2016345..ab0a5c911 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -95,7 +95,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
 
     state->op = sdap_id_op_create(state, state->conn->conn_cache);
     if (!state->op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -209,7 +209,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
 
     talloc_zfree(clean_name);
     if (!state->filter) {
-        DEBUG(2, "Failed to build the base filter\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to build the base filter\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -548,7 +548,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
 
     state->op = sdap_id_op_create(state, state->conn->conn_cache);
     if (!state->op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -662,7 +662,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
 
     talloc_zfree(clean_name);
     if (!state->filter) {
-        DEBUG(2, "Failed to build filter\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -954,7 +954,7 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
 
     state->op = sdap_id_op_create(state, state->conn->conn_cache);
     if (!state->op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -1127,7 +1127,7 @@ void sdap_do_online_check(struct be_req *be_req, struct sdap_id_ctx *ctx)
                                 be_ctx, ctx->conn->service, false,
                                 CON_TLS_DFL, false);
     if (req == NULL) {
-        DEBUG(1, "sdap_cli_connect_send failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_cli_connect_send failed.\n");
         ret = EIO;
         goto fail;
     }
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
index 945b405f8..6b0bead28 100644
--- a/src/providers/ldap/ldap_id_cleanup.c
+++ b/src/providers/ldap/ldap_id_cleanup.c
@@ -189,7 +189,7 @@ static int cleanup_users(struct sdap_options *opts,
     }
 
     account_cache_expiration = dp_opt_get_int(opts->basic, SDAP_ACCOUNT_CACHE_EXPIRATION);
-    DEBUG(9, "Cache expiration is set to %d days\n",
+    DEBUG(SSSDBG_TRACE_ALL, "Cache expiration is set to %d days\n",
               account_cache_expiration);
 
     if (account_cache_expiration > 0) {
@@ -210,7 +210,7 @@ static int cleanup_users(struct sdap_options *opts,
                                     SYSDB_LAST_LOGIN);
     }
     if (!subfilter) {
-        DEBUG(2, "Failed to build filter\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
         ret = ENOMEM;
         goto done;
     }
@@ -241,7 +241,7 @@ static int cleanup_users(struct sdap_options *opts,
     for (i = 0; i < count; i++) {
         name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
         if (!name) {
-            DEBUG(2, "Entry %s has no Name Attribute ?!?\n",
+            DEBUG(SSSDBG_OP_FAILURE, "Entry %s has no Name Attribute ?!?\n",
                        ldb_dn_get_linearized(msgs[i]->dn));
             ret = EFAULT;
             goto done;
@@ -251,7 +251,8 @@ static int cleanup_users(struct sdap_options *opts,
             ret = cleanup_users_logged_in(uid_table, msgs[i]);
             if (ret == EOK) {
                 /* If the user is logged in, proceed to the next one */
-                DEBUG(5, "User %s is still logged in or a dummy entry, "
+                DEBUG(SSSDBG_FUNC_DATA,
+                      "User %s is still logged in or a dummy entry, "
                           "keeping data\n", name);
                 continue;
             } else if (ret != ENOENT) {
@@ -260,7 +261,7 @@ static int cleanup_users(struct sdap_options *opts,
         }
 
         /* If not logged in or cannot check the table, delete him */
-        DEBUG(9, "About to delete user %s\n", name);
+        DEBUG(SSSDBG_TRACE_ALL, "About to delete user %s\n", name);
         ret = sysdb_delete_user(dom, name, 0);
         if (ret) {
             goto done;
@@ -331,7 +332,7 @@ static int cleanup_groups(TALLOC_CTX *memctx,
                                 SYSDB_CACHE_EXPIRE,
                                 SYSDB_CACHE_EXPIRE, (long)now);
     if (!subfilter) {
-        DEBUG(2, "Failed to build filter\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
         ret = ENOMEM;
         goto done;
     }
@@ -373,7 +374,7 @@ static int cleanup_groups(TALLOC_CTX *memctx,
             subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF, dn);
         }
         if (!subfilter) {
-            DEBUG(2, "Failed to build filter\n");
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
             ret = ENOMEM;
             goto done;
         }
@@ -393,16 +394,16 @@ static int cleanup_groups(TALLOC_CTX *memctx,
 
             name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
             if (!name) {
-                DEBUG(2, "Entry %s has no Name Attribute ?!?\n",
+                DEBUG(SSSDBG_OP_FAILURE, "Entry %s has no Name Attribute ?!?\n",
                           ldb_dn_get_linearized(msgs[i]->dn));
                 ret = EFAULT;
                 goto done;
             }
 
-            DEBUG(8, "About to delete group %s\n", name);
+            DEBUG(SSSDBG_TRACE_INTERNAL, "About to delete group %s\n", name);
             ret = sysdb_delete_group(domain, name, 0);
             if (ret) {
-                DEBUG(2, "Group delete returned %d (%s)\n",
+                DEBUG(SSSDBG_OP_FAILURE, "Group delete returned %d (%s)\n",
                           ret, strerror(ret));
                 goto done;
             }
diff --git a/src/providers/ldap/ldap_id_netgroup.c b/src/providers/ldap/ldap_id_netgroup.c
index f38511a21..1fb01cf1f 100644
--- a/src/providers/ldap/ldap_id_netgroup.c
+++ b/src/providers/ldap/ldap_id_netgroup.c
@@ -82,7 +82,7 @@ struct tevent_req *ldap_netgroup_get_send(TALLOC_CTX *memctx,
 
     state->op = sdap_id_op_create(state, state->conn->conn_cache);
     if (!state->op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -102,7 +102,7 @@ struct tevent_req *ldap_netgroup_get_send(TALLOC_CTX *memctx,
                             clean_name,
                             ctx->opts->netgroup_map[SDAP_OC_NETGROUP].name);
     if (!state->filter) {
-        DEBUG(2, "Failed to build filter\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -208,7 +208,8 @@ static void ldap_netgroup_get_done(struct tevent_req *subreq)
     }
 
     if (ret == EOK && state->count > 1) {
-        DEBUG(1, "Found more than one netgroup with the name [%s].\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Found more than one netgroup with the name [%s].\n",
                   state->name);
         tevent_req_error(req, EINVAL);
         return;
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index a228f5bd7..a14e6ceae 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -75,7 +75,8 @@ errno_t check_order_list_for_duplicates(char **list,
                 cmp = strcasecmp(list[c], list[d]);
             }
             if (cmp == 0) {
-                DEBUG(1, "Duplicate string [%s] found.\n", list[c]);
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "Duplicate string [%s] found.\n", list[c]);
                 return EINVAL;
             }
         }
@@ -100,7 +101,8 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
     /* If we're already set up, just return that */
     if(bectx->bet_info[BET_ID].mod_name &&
        strcmp("ldap", bectx->bet_info[BET_ID].mod_name) == 0) {
-        DEBUG(8, "Re-using sdap_id_ctx for this provider\n");
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "Re-using sdap_id_ctx for this provider\n");
         *ops = bectx->bet_info[BET_ID].bet_ops;
         *pvt_data = bectx->bet_info[BET_ID].pvt_bet_data;
         return EOK;
@@ -142,7 +144,8 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
                                    ctx->be, ctx->conn->service,
                                    &ctx->krb5_service);
             if (ret !=  EOK) {
-                DEBUG(1, "sdap_gssapi_init failed [%d][%s].\n",
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "sdap_gssapi_init failed [%d][%s].\n",
                             ret, strerror(ret));
                 goto done;
             }
@@ -151,7 +154,7 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
 
     ret = setup_tls_config(ctx->opts->basic);
     if (ret != EOK) {
-        DEBUG(1, "setup_tls_config failed [%d][%s].\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d][%s].\n",
                   ret, strerror(ret));
         goto done;
     }
@@ -167,7 +170,7 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
 
     ret = sdap_setup_child();
     if (ret != EOK) {
-        DEBUG(1, "setup_child failed [%d][%s].\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "setup_child failed [%d][%s].\n",
                   ret, strerror(ret));
         goto done;
     }
@@ -243,7 +246,7 @@ int sssm_ldap_chpass_init(struct be_ctx *bectx,
 
     ret = sssm_ldap_auth_init(bectx, ops, &data);
     if (ret != EOK) {
-        DEBUG(1, "sssm_ldap_auth_init failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ldap_auth_init failed.\n");
         goto done;
     }
 
@@ -252,21 +255,24 @@ int sssm_ldap_chpass_init(struct be_ctx *bectx,
     dns_service_name = dp_opt_get_string(ctx->opts->basic,
                                          SDAP_CHPASS_DNS_SERVICE_NAME);
     if (dns_service_name) {
-        DEBUG(7, "Service name for chpass discovery set to %s\n",
+        DEBUG(SSSDBG_TRACE_LIBS,
+              "Service name for chpass discovery set to %s\n",
                   dns_service_name);
     }
 
     urls = dp_opt_get_string(ctx->opts->basic, SDAP_CHPASS_URI);
     backup_urls = dp_opt_get_string(ctx->opts->basic, SDAP_CHPASS_BACKUP_URI);
     if (!urls && !backup_urls && !dns_service_name) {
-        DEBUG(9, "ldap_chpass_uri and ldap_chpass_dns_service_name not set, "
+        DEBUG(SSSDBG_TRACE_ALL,
+              "ldap_chpass_uri and ldap_chpass_dns_service_name not set, "
                   "using ldap_uri.\n");
         ctx->chpass_service = NULL;
     } else {
         ret = sdap_service_init(ctx, ctx->be, "LDAP_CHPASS", dns_service_name,
                                 urls, backup_urls, &ctx->chpass_service);
         if (ret != EOK) {
-            DEBUG(1, "Failed to initialize failover service!\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to initialize failover service!\n");
             goto done;
         }
     }
@@ -304,27 +310,28 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
 
     ret = sssm_ldap_id_init(bectx, ops, (void **)&access_ctx->id_ctx);
     if (ret != EOK) {
-        DEBUG(1, "sssm_ldap_id_init failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ldap_id_init failed.\n");
         goto done;
     }
 
     order = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
                                SDAP_ACCESS_ORDER);
     if (order == NULL) {
-        DEBUG(1, "ldap_access_order not given, using 'filter'.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "ldap_access_order not given, using 'filter'.\n");
         order = "filter";
     }
 
     ret = split_on_separator(access_ctx, order, ',', true, true,
                              &order_list, &order_list_len);
     if (ret != EOK) {
-        DEBUG(1, "split_on_separator failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "split_on_separator failed.\n");
         goto done;
     }
 
     ret = check_order_list_for_duplicates(order_list, false);
     if (ret != EOK) {
-        DEBUG(1, "check_order_list_for_duplicates failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "check_order_list_for_duplicates failed.\n");
         goto done;
     }
 
@@ -346,7 +353,8 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
                 /* It's okay if this is NULL. In that case we will simply act
                  * like the 'deny' provider.
                  */
-                DEBUG(0, "Warning: LDAP access rule 'filter' is set, "
+                DEBUG(SSSDBG_FATAL_FAILURE,
+                      "Warning: LDAP access rule 'filter' is set, "
                           "but no ldap_access_filter configured. "
                           "All domain users will be denied access.\n");
             } else {
@@ -363,7 +371,8 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
             dummy = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
                                        SDAP_ACCOUNT_EXPIRE_POLICY);
             if (dummy == NULL) {
-                DEBUG(0, "Warning: LDAP access rule 'expire' is set, "
+                DEBUG(SSSDBG_FATAL_FAILURE,
+                      "Warning: LDAP access rule 'expire' is set, "
                           "but no ldap_account_expire_policy configured. "
                           "All domain users will be denied access.\n");
             } else {
@@ -373,7 +382,8 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
                     strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_RHDS) != 0 &&
                     strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_IPA) != 0 &&
                     strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_389DS) != 0) {
-                    DEBUG(1, "Unsupported LDAP account expire policy [%s].\n",
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Unsupported LDAP account expire policy [%s].\n",
                               dummy);
                     ret = EINVAL;
                     goto done;
@@ -384,14 +394,15 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
         } else if (strcasecmp(order_list[c], LDAP_ACCESS_HOST_NAME) == 0) {
             access_ctx->access_rule[c] = LDAP_ACCESS_HOST;
         } else {
-            DEBUG(1, "Unexpected access rule name [%s].\n", order_list[c]);
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unexpected access rule name [%s].\n", order_list[c]);
             ret = EINVAL;
             goto done;
         }
     }
     access_ctx->access_rule[c] = LDAP_ACCESS_EMPTY;
     if (c == 0) {
-        DEBUG(0, "Warning: access_provider=ldap set, "
+        DEBUG(SSSDBG_FATAL_FAILURE, "Warning: access_provider=ldap set, "
                   "but ldap_access_order is empty. "
                   "All domain users will be denied access.\n");
     }
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 360312437..aa6b0e921 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -157,7 +157,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
     lerrno = 0;
     ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
     if (ret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "ldap_set_option failed [%s], ignored.\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "ldap_set_option failed [%s], ignored.\n",
                   sss_ldap_err2string(ret));
     }
 
@@ -170,13 +170,13 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
     str = ldap_get_dn(sh->ldap, sm->msg);
     if (!str) {
         ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
-        DEBUG(1, "ldap_get_dn failed: %d(%s)\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "ldap_get_dn failed: %d(%s)\n",
                   lerrno, sss_ldap_err2string(lerrno));
         ret = EIO;
         goto done;
     }
 
-    DEBUG(9, "OriginalDN: [%s].\n", str);
+    DEBUG(SSSDBG_TRACE_ALL, "OriginalDN: [%s].\n", str);
     ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str);
     if (ret) goto done;
     if (_dn) {
@@ -192,7 +192,8 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
     if (map) {
         vals = ldap_get_values_len(sh->ldap, sm->msg, "objectClass");
         if (!vals) {
-            DEBUG(1, "Unknown entry type, no objectClasses found!\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unknown entry type, no objectClasses found!\n");
             ret = EINVAL;
             goto done;
         }
@@ -206,7 +207,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
             }
         }
         if (!vals[i]) {
-            DEBUG(1, "objectClass not matching: %s\n",
+            DEBUG(SSSDBG_CRIT_FAILURE, "objectClass not matching: %s\n",
                       map[0].name);
             ldap_value_free_len(vals);
             ret = EINVAL;
@@ -285,17 +286,19 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
             if (!vals) {
                 ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
                 if (lerrno != LDAP_SUCCESS) {
-                    DEBUG(1, "LDAP Library error: %d(%s)",
+                    DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)",
                               lerrno, sss_ldap_err2string(lerrno));
                     ret = EIO;
                     goto done;
                 }
 
-                DEBUG(5, "Attribute [%s] has no values, skipping.\n", str);
+                DEBUG(SSSDBG_FUNC_DATA,
+                      "Attribute [%s] has no values, skipping.\n", str);
 
             } else {
                 if (!vals[0]) {
-                    DEBUG(1, "Missing value after ldap_get_values() ??\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Missing value after ldap_get_values() ??\n");
                     ret = EINVAL;
                     goto done;
                 }
@@ -334,7 +337,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
 
     ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
     if (lerrno) {
-        DEBUG(1, "LDAP Library error: %d(%s)",
+        DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)",
                   lerrno, sss_ldap_err2string(lerrno));
         ret = EIO;
         goto done;
@@ -390,7 +393,7 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
     }
 
     if (!dref->derefVal.bv_val) {
-        DEBUG(2, "Entry has no DN?\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Entry has no DN?\n");
         ret = EINVAL;
         goto done;
     }
@@ -411,7 +414,8 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
     for (dval = dref->attrVals; dval != NULL; dval = dval->next) {
         if (strcasecmp("objectClass", dval->type) == 0) {
             if (dval->vals == NULL) {
-                DEBUG(4, "No value for objectClass, skipping\n");
+                DEBUG(SSSDBG_CONF_SETTINGS,
+                      "No value for objectClass, skipping\n");
                 continue;
             }
 
@@ -424,7 +428,7 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
             }
 
             for (i=0; i<len; i++) {
-                DEBUG(9, "Dereferenced objectClass value: %s\n",
+                DEBUG(SSSDBG_TRACE_ALL, "Dereferenced objectClass value: %s\n",
                           dval->vals[i].bv_val);
                 ocs[i] = talloc_strdup(ocs, dval->vals[i].bv_val);
                 if (!ocs[i]) {
@@ -437,7 +441,8 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
         }
     }
     if (!ocs) {
-        DEBUG(1, "Unknown entry type, no objectClasses found!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Unknown entry type, no objectClasses found!\n");
         ret = EINVAL;
         goto done;
     }
@@ -448,7 +453,8 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
         for (i=0; ocs[i]; i++) {
             /* the objectclass is always the first name in the map */
             if (strcasecmp(minfo[mi].map[0].name, ocs[i]) == 0) {
-                DEBUG(9, "Found map for objectclass '%s'\n", ocs[i]);
+                DEBUG(SSSDBG_TRACE_ALL,
+                      "Found map for objectclass '%s'\n", ocs[i]);
                 map = minfo[mi].map;
                 num_attrs = minfo[mi].num_attrs;
                 break;
@@ -469,7 +475,8 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
         }
 
         for (dval = dref->attrVals; dval != NULL; dval = dval->next) {
-            DEBUG(8, "Dereferenced attribute: %s\n", dval->type);
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "Dereferenced attribute: %s\n", dval->type);
 
             for (a = 1; a < num_attrs; a++) {
                 /* check if this attr is valid with the chosen schema */
@@ -486,12 +493,13 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
             }
 
             if (dval->vals == NULL) {
-                DEBUG(4, "No value for attribute %s, skipping\n", name);
+                DEBUG(SSSDBG_CONF_SETTINGS,
+                      "No value for attribute %s, skipping\n", name);
                 continue;
             }
 
             for (i=0; dval->vals[i].bv_val; i++) {
-                DEBUG(9, "Dereferenced attribute value: %s\n",
+                DEBUG(SSSDBG_TRACE_ALL, "Dereferenced attribute value: %s\n",
                           dval->vals[i].bv_val);
                 ret = sysdb_attrs_add_mem(res[mi]->attrs, name,
                                           dval->vals[i].bv_val,
@@ -521,14 +529,14 @@ int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh,
     lerrno = 0;
     ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
     if (ret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "ldap_set_option failed [%s], ignored.\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "ldap_set_option failed [%s], ignored.\n",
                   sss_ldap_err2string(ret));
     }
 
     str = ldap_get_dn(sh->ldap, sm->msg);
     if (!str) {
         ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
-        DEBUG(1, "ldap_get_dn failed: %d(%s)\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "ldap_get_dn failed: %d(%s)\n",
                   lerrno, sss_ldap_err2string(lerrno));
         return EIO;
     }
@@ -563,7 +571,7 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
             ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD;
         }
         else {
-            DEBUG(1, "Unknown value for tls_reqcert.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unknown value for tls_reqcert.\n");
             return EINVAL;
         }
         /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option,
@@ -571,7 +579,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
         ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
                               &ldap_opt_x_tls_require_cert);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
             return EIO;
         }
     }
@@ -580,7 +589,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
     if (tls_opt) {
         ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
             return EIO;
         }
     }
@@ -589,7 +599,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
     if (tls_opt) {
         ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
             return EIO;
         }
     }
@@ -598,7 +609,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
     if (tls_opt) {
         ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
             return EIO;
         }
     }
@@ -607,7 +619,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
     if (tls_opt) {
         ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
             return EIO;
         }
     }
@@ -616,7 +629,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts)
     if (tls_opt) {
         ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_set_option failed: %s\n", sss_ldap_err2string(ret));
             return EIO;
         }
     }
@@ -710,15 +724,15 @@ static char *get_single_value_as_string(TALLOC_CTX *mem_ctx,
     char *str = NULL;
 
     if (el->num_values == 0) {
-        DEBUG(3, "Missing value.\n");
+        DEBUG(SSSDBG_MINOR_FAILURE, "Missing value.\n");
     } else if (el->num_values == 1) {
         str = talloc_strndup(mem_ctx, (char *) el->values[0].data,
                              el->values[0].length);
         if (str == NULL) {
-            DEBUG(1, "talloc_strndup failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
         }
     } else {
-        DEBUG(3, "More than one value found.\n");
+        DEBUG(SSSDBG_MINOR_FAILURE, "More than one value found.\n");
     }
 
     return str;
@@ -743,18 +757,21 @@ static char *get_naming_context(TALLOC_CTX *mem_ctx,
     }
 
     if (dnc == NULL && nc == NULL) {
-        DEBUG(3, "No attributes [%s] or [%s] found in rootDSE.\n",
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "No attributes [%s] or [%s] found in rootDSE.\n",
                   SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS,
                   SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT);
     } else {
         if (dnc != NULL) {
-            DEBUG(5, "Using value from [%s] as naming context.\n",
+            DEBUG(SSSDBG_FUNC_DATA,
+                  "Using value from [%s] as naming context.\n",
                       SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT);
             naming_context = get_single_value_as_string(mem_ctx, dnc);
         }
 
         if (naming_context == NULL && nc != NULL) {
-            DEBUG(5, "Using value from [%s] as naming context.\n",
+            DEBUG(SSSDBG_FUNC_DATA,
+                  "Using value from [%s] as naming context.\n",
                       SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS);
             naming_context = get_single_value_as_string(mem_ctx, nc);
         }
@@ -811,7 +828,7 @@ static errno_t sdap_set_search_base(struct sdap_options *opts,
 
     ret = dp_opt_set_string(opts->basic, class, naming_context);
     if (ret != EOK) {
-        DEBUG(1, "dp_opt_set_string failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n");
         goto done;
     }
 
@@ -838,7 +855,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
             || !sdom->autofs_search_bases) {
         naming_context = get_naming_context(opts->basic, rootdse);
         if (naming_context == NULL) {
-            DEBUG(1, "get_naming_context failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
 
             /* This has to be non-fatal, since some servers offer
              * multiple namingContexts entries. We will just
@@ -952,29 +969,35 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
             if (ret != EOK) {
                 switch (ret) {
                 case ENOENT:
-                    DEBUG(1, "%s configured but not found in rootdse!\n",
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "%s configured but not found in rootdse!\n",
                               opts->gen_map[SDAP_AT_LAST_USN].opt_name);
                     break;
                 case ERANGE:
-                    DEBUG(1, "Multiple values of %s found in rootdse!\n",
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Multiple values of %s found in rootdse!\n",
                               opts->gen_map[SDAP_AT_LAST_USN].opt_name);
                     break;
                 default:
-                    DEBUG(1, "Unkown error (%d) checking rootdse!\n", ret);
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Unkown error (%d) checking rootdse!\n", ret);
                 }
             } else {
                 if (!entry_usn_name) {
-                    DEBUG(1, "%s found in rootdse but %s is not set!\n",
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "%s found in rootdse but %s is not set!\n",
                               last_usn_name,
                               opts->gen_map[SDAP_AT_ENTRY_USN].opt_name);
                 } else {
                     so->supports_usn = true;
                     so->last_usn = strtoul(last_usn_value, &endptr, 10);
                     if (endptr != NULL && (*endptr != '\0' || endptr == last_usn_value)) {
-                        DEBUG(3, "USN is not valid (value: %s)\n", last_usn_value);
+                        DEBUG(SSSDBG_MINOR_FAILURE,
+                              "USN is not valid (value: %s)\n", last_usn_value);
                         so->last_usn = 0;
                     } else {
-                        DEBUG(9, "USN value: %s (int: %lu)\n", last_usn_value, so->last_usn);
+                        DEBUG(SSSDBG_TRACE_ALL,
+                              "USN value: %s (int: %lu)\n", last_usn_value, so->last_usn);
                     }
                 }
             }
@@ -993,10 +1016,12 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
                     so->supports_usn = true;
                     so->last_usn = strtoul(last_usn_value, &endptr, 10);
                     if (endptr != NULL && (*endptr != '\0' || endptr == last_usn_value)) {
-                        DEBUG(3, "USN is not valid (value: %s)\n", last_usn_value);
+                        DEBUG(SSSDBG_MINOR_FAILURE,
+                              "USN is not valid (value: %s)\n", last_usn_value);
                         so->last_usn = 0;
                     } else {
-                        DEBUG(9, "USN value: %s (int: %lu)\n", last_usn_value, so->last_usn);
+                        DEBUG(SSSDBG_TRACE_ALL,
+                              "USN value: %s (int: %lu)\n", last_usn_value, so->last_usn);
                     }
                     last_usn_name = usn_attrs[i].last_name;
                     break;
@@ -1035,9 +1060,11 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
     }
 
     if (!last_usn_name) {
-        DEBUG(5, "No known USN scheme is supported by this server!\n");
+        DEBUG(SSSDBG_FUNC_DATA,
+              "No known USN scheme is supported by this server!\n");
         if (!entry_usn_name) {
-            DEBUG(5, "Will use modification timestamp as usn!\n");
+            DEBUG(SSSDBG_FUNC_DATA,
+                  "Will use modification timestamp as usn!\n");
             opts->gen_map[SDAP_AT_ENTRY_USN].name =
                 talloc_strdup(opts->gen_map, "modifyTimestamp");
         }
@@ -1168,11 +1195,13 @@ int sdap_control_create(struct sdap_handle *sh, const char *oid, int iscritical,
     if (sdap_is_control_supported(sh, oid)) {
         ret = sss_ldap_control_create(oid, iscritical, value, dupval, ctrlp);
         if (ret != LDAP_SUCCESS) {
-            DEBUG(1, "sss_ldap_control_create failed [%d][%s].\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "sss_ldap_control_create failed [%d][%s].\n",
                       ret, sss_ldap_err2string(ret));
         }
     } else {
-        DEBUG(3, "Server does not support the requested control [%s].\n", oid);
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Server does not support the requested control [%s].\n", oid);
         ret = LDAP_NOT_SUPPORTED;
     }
 
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 8addbdd18..65876ba41 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -91,7 +91,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
 
     req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx);
     if (req == NULL) {
-        DEBUG(1, "tevent_req_create failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
         return NULL;
     }
 
@@ -103,10 +103,12 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
     state->conn = conn;
     state->current_rule = 0;
 
-    DEBUG(6, "Performing access check for user [%s]\n", pd->user);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Performing access check for user [%s]\n", pd->user);
 
     if (access_ctx->access_rule[0] == LDAP_ACCESS_EMPTY) {
-        DEBUG(3, "No access rules defined, access denied.\n");
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "No access rules defined, access denied.\n");
         ret = ERR_ACCESS_DENIED;
         goto done;
     }
@@ -129,7 +131,8 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
         }
 
         if (res->count != 1) {
-            DEBUG(1, "Invalid response from sysdb_get_user_attr\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Invalid response from sysdb_get_user_attr\n");
             ret = EINVAL;
             goto done;
         }
@@ -172,7 +175,7 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state,
                                              state->pd->user,
                                              state->user_entry);
             if (subreq == NULL) {
-                DEBUG(1, "sdap_access_filter_send failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_filter_send failed.\n");
                 return ENOMEM;
             }
 
@@ -193,7 +196,8 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state,
             break;
 
         default:
-            DEBUG(1, "Unexpected access rule type. Access denied.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unexpected access rule type. Access denied.\n");
             ret = ERR_ACCESS_DENIED;
         }
 
@@ -251,17 +255,18 @@ static errno_t sdap_account_expired_shadow(struct pam_data *pd,
     long sp_expire;
     long today;
 
-    DEBUG(6, "Performing access shadow check for user [%s]\n", pd->user);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Performing access shadow check for user [%s]\n", pd->user);
 
     val = ldb_msg_find_attr_as_string(user_entry, SYSDB_SHADOWPW_EXPIRE, NULL);
     if (val == NULL) {
-        DEBUG(3, "Shadow expire attribute not found. "
+        DEBUG(SSSDBG_MINOR_FAILURE, "Shadow expire attribute not found. "
                   "Access will be granted.\n");
         return EOK;
     }
     ret = string_to_shadowpw_days(val, &sp_expire);
     if (ret != EOK) {
-        DEBUG(1, "Failed to retrieve shadow expire date.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve shadow expire date.\n");
         return ret;
     }
 
@@ -272,7 +277,7 @@ static errno_t sdap_account_expired_shadow(struct pam_data *pd,
                                sizeof(SHADOW_EXPIRE_MSG),
                                (const uint8_t *) SHADOW_EXPIRE_MSG);
         if (ret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         return ERR_ACCOUNT_EXPIRED;
@@ -300,7 +305,8 @@ static bool ad_account_expired(uint64_t expiration_time)
     now = time(NULL);
     if (now == ((time_t) -1)) {
         err = errno;
-        DEBUG(1, "time failed [%d][%s].\n", err, strerror(err));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "time failed [%d][%s].\n", err, strerror(err));
         return true;
     }
 
@@ -321,11 +327,12 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
     uint64_t expiration_time;
     int ret;
 
-    DEBUG(6, "Performing AD access check for user [%s]\n", pd->user);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Performing AD access check for user [%s]\n", pd->user);
 
     uac = ldb_msg_find_attr_as_uint(user_entry, SYSDB_AD_USER_ACCOUNT_CONTROL,
                                     0);
-    DEBUG(9, "User account control for user [%s] is [%X].\n",
+    DEBUG(SSSDBG_TRACE_ALL, "User account control for user [%s] is [%X].\n",
               pd->user, uac);
 
     expiration_time = ldb_msg_find_attr_as_uint64(user_entry,
@@ -340,7 +347,7 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
                                sizeof(AD_DISABLE_MESSAGE),
                                (const uint8_t *) AD_DISABLE_MESSAGE);
         if (ret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         return ERR_ACCESS_DENIED;
@@ -351,7 +358,7 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
                                sizeof(AD_EXPIRED_MESSAGE),
                                (const uint8_t *) AD_EXPIRED_MESSAGE);
         if (ret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         return ERR_ACCOUNT_EXPIRED;
@@ -368,10 +375,11 @@ static errno_t sdap_account_expired_rhds(struct pam_data *pd,
     bool locked;
     int ret;
 
-    DEBUG(6, "Performing RHDS access check for user [%s]\n", pd->user);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Performing RHDS access check for user [%s]\n", pd->user);
 
     locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NS_ACCOUNT_LOCK, false);
-    DEBUG(9, "Account for user [%s] is%s locked.\n", pd->user,
+    DEBUG(SSSDBG_TRACE_ALL, "Account for user [%s] is%s locked.\n", pd->user,
               locked ? "" : " not" );
 
     if (locked) {
@@ -379,7 +387,7 @@ static errno_t sdap_account_expired_rhds(struct pam_data *pd,
                                sizeof(RHDS_LOCK_MSG),
                                (const uint8_t *) RHDS_LOCK_MSG);
         if (ret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         return ERR_ACCESS_DENIED;
@@ -400,7 +408,8 @@ static bool nds_check_expired(const char *exp_time_str)
     time_t now;
 
     if (exp_time_str == NULL) {
-        DEBUG(9, "ndsLoginExpirationTime is not set, access granted.\n");
+        DEBUG(SSSDBG_TRACE_ALL,
+              "ndsLoginExpirationTime is not set, access granted.\n");
         return false;
     }
 
@@ -408,18 +417,21 @@ static bool nds_check_expired(const char *exp_time_str)
 
     end = strptime(exp_time_str, "%Y%m%d%H%M%SZ", &tm);
     if (end == NULL) {
-        DEBUG(1, "NDS expire date [%s] invalid.\n", exp_time_str);
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "NDS expire date [%s] invalid.\n", exp_time_str);
         return true;
     }
     if (*end != '\0') {
-        DEBUG(1, "NDS expire date [%s] contains extra characters.\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "NDS expire date [%s] contains extra characters.\n",
                   exp_time_str);
         return true;
     }
 
     expire_time = mktime(&tm);
     if (expire_time == -1) {
-        DEBUG(1, "mktime failed to convert [%s].\n", exp_time_str);
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "mktime failed to convert [%s].\n", exp_time_str);
         return true;
     }
 
@@ -432,7 +444,7 @@ static bool nds_check_expired(const char *exp_time_str)
            tzname[1], timezone, daylight, now, expire_time);
 
     if (difftime(now, expire_time) > 0.0) {
-        DEBUG(4, "NDS account expired.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n");
         return true;
     }
 
@@ -452,7 +464,8 @@ static bool nds_check_time_map(const struct ldb_val *time_map)
     uint8_t mask = 0;
 
     if (time_map == NULL) {
-        DEBUG(9, "loginAllowedTimeMap is missing, access granted.\n");
+        DEBUG(SSSDBG_TRACE_ALL,
+              "loginAllowedTimeMap is missing, access granted.\n");
         return false;
     }
 
@@ -489,7 +502,7 @@ static bool nds_check_time_map(const struct ldb_val *time_map)
     }
 
     if (time_map->data[q.quot] & mask) {
-        DEBUG(4, "Access allowed by time map.\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "Access allowed by time map.\n");
         return false;
     }
 
@@ -504,11 +517,12 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
     const char *exp_time_str;
     const struct ldb_val *time_map;
 
-    DEBUG(6, "Performing NDS access check for user [%s]\n", pd->user);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Performing NDS access check for user [%s]\n", pd->user);
 
     locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NDS_LOGIN_DISABLED,
                                        false);
-    DEBUG(9, "Account for user [%s] is%s disabled.\n", pd->user,
+    DEBUG(SSSDBG_TRACE_ALL, "Account for user [%s] is%s disabled.\n", pd->user,
               locked ? "" : " not");
 
     if (locked) {
@@ -516,7 +530,7 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
                                sizeof(NDS_DISABLE_MSG),
                                (const uint8_t *) NDS_DISABLE_MSG);
         if (ret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         return ERR_ACCESS_DENIED;
@@ -527,7 +541,8 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
                                                 NULL);
         locked = nds_check_expired(exp_time_str);
 
-        DEBUG(9, "Account for user [%s] is%s expired.\n", pd->user,
+        DEBUG(SSSDBG_TRACE_ALL,
+              "Account for user [%s] is%s expired.\n", pd->user,
                   locked ? "" : " not");
 
         if (locked) {
@@ -535,7 +550,7 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
                                    sizeof(NDS_EXPIRED_MSG),
                                    (const uint8_t *) NDS_EXPIRED_MSG);
             if (ret != EOK) {
-                DEBUG(1, "pam_add_response failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
             }
 
             return ERR_ACCESS_DENIED;
@@ -546,7 +561,8 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
 
             locked = nds_check_time_map(time_map);
 
-            DEBUG(9, "Account for user [%s] is%s locked at this time.\n",
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "Account for user [%s] is%s locked at this time.\n",
                       pd->user, locked ? "" : " not");
 
             if (locked) {
@@ -554,7 +570,7 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
                                        sizeof(NDS_TIME_MAP_MSG),
                                        (const uint8_t *) NDS_TIME_MAP_MSG);
                 if (ret != EOK) {
-                    DEBUG(1, "pam_add_response failed.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
                 }
 
                 return ERR_ACCESS_DENIED;
@@ -576,33 +592,38 @@ static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx,
     expire = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
                                 SDAP_ACCOUNT_EXPIRE_POLICY);
     if (expire == NULL) {
-        DEBUG(1, "Missing account expire policy. Access denied\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Missing account expire policy. Access denied\n");
         return ERR_ACCESS_DENIED;
     } else {
         if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_SHADOW) == 0) {
             ret = sdap_account_expired_shadow(pd, user_entry);
             if (ret != EOK) {
-                DEBUG(1, "sdap_account_expired_shadow failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "sdap_account_expired_shadow failed.\n");
             }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_AD) == 0) {
             ret = sdap_account_expired_ad(pd, user_entry);
             if (ret != EOK) {
-                DEBUG(1, "sdap_account_expired_ad failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "sdap_account_expired_ad failed.\n");
             }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 ||
                    strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 ||
                    strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) {
             ret = sdap_account_expired_rhds(pd, user_entry);
             if (ret != EOK) {
-                DEBUG(1, "sdap_account_expired_rhds failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "sdap_account_expired_rhds failed.\n");
             }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) {
             ret = sdap_account_expired_nds(pd, user_entry);
             if (ret != EOK) {
-                DEBUG(1, "sdap_account_expired_nds failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "sdap_account_expired_nds failed.\n");
             }
         } else {
-            DEBUG(1, "Unsupported LDAP account expire policy [%s]. "
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unsupported LDAP account expire policy [%s]. "
                       "Access denied.\n", expire);
             ret = ERR_ACCESS_DENIED;
         }
@@ -653,7 +674,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
 
     if (access_ctx->filter == NULL || *access_ctx->filter == '\0') {
         /* If no filter is set, default to restrictive */
-        DEBUG(6, "No filter set. Access is denied.\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "No filter set. Access is denied.\n");
         ret = ERR_ACCESS_DENIED;
         goto done;
     }
@@ -666,7 +687,8 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
     state->access_ctx = access_ctx;
     state->domain = domain;
 
-    DEBUG(6, "Performing access filter check for user [%s]\n", username);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Performing access filter check for user [%s]\n", username);
 
     state->cached_access = ldb_msg_find_attr_as_bool(user_entry,
                                                      SYSDB_LDAP_ACCESS_FILTER,
@@ -681,7 +703,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
     /* Perform online operation */
     basedn = ldb_msg_find_attr_as_string(user_entry, SYSDB_ORIG_DN, NULL);
     if (basedn == NULL) {
-        DEBUG(1,"Could not find originalDN for user [%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,"Could not find originalDN for user [%s]\n",
                  state->username);
         ret = EINVAL;
         goto done;
@@ -689,7 +711,8 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
 
     state->basedn = talloc_strdup(state, basedn);
     if (state->basedn == NULL) {
-        DEBUG(1, "Could not allocate memory for originalDN\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Could not allocate memory for originalDN\n");
         ret = ENOMEM;
         goto done;
     }
@@ -717,18 +740,18 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
         state->opts->user_map[SDAP_OC_USER].name,
         state->access_ctx->filter);
     if (state->filter == NULL) {
-        DEBUG(0, "Could not construct access filter\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "Could not construct access filter\n");
         ret = ENOMEM;
         goto done;
     }
     talloc_zfree(clean_username);
 
-    DEBUG(6, "Checking filter against LDAP\n");
+    DEBUG(SSSDBG_TRACE_FUNC, "Checking filter against LDAP\n");
 
     state->sdap_op = sdap_id_op_create(state,
                                        state->conn->conn_cache);
     if (!state->sdap_op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto done;
     }
@@ -756,10 +779,10 @@ static errno_t sdap_access_filter_decide_offline(struct tevent_req *req)
             tevent_req_data(req, struct sdap_access_filter_req_ctx);
 
     if (state->cached_access) {
-        DEBUG(6, "Access granted by cached credentials\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "Access granted by cached credentials\n");
         return EOK;
     } else {
-        DEBUG(6, "Access denied by cached credentials\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "Access denied by cached credentials\n");
         return ERR_ACCESS_DENIED;
     }
 }
@@ -773,7 +796,8 @@ static int sdap_access_filter_retry(struct tevent_req *req)
 
     subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
     if (!subreq) {
-        DEBUG(2, "sdap_id_op_connect_send failed: %d (%s)\n", ret, strerror(ret));
+        DEBUG(SSSDBG_OP_FAILURE,
+              "sdap_id_op_connect_send failed: %d (%s)\n", ret, strerror(ret));
         return ret;
     }
 
@@ -820,7 +844,7 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq)
                                                   SDAP_SEARCH_TIMEOUT),
                                    false);
     if (subreq == NULL) {
-        DEBUG(1, "Could not start LDAP communication\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Could not start LDAP communication\n");
         tevent_req_error(req, EIO);
         return;
     }
@@ -861,7 +885,8 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
                 "Malformed access control filter [%s]\n", state->filter);
             ret = ERR_ACCESS_DENIED;
         } else {
-            DEBUG(1, "sdap_get_generic_send() returned error [%d][%s]\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "sdap_get_generic_send() returned error [%d][%s]\n",
                       ret, sss_strerror(ret));
         }
 
@@ -874,12 +899,13 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
      * Anything else is an error
      */
     if (num_results < 1) {
-        DEBUG(4, "User [%s] was not found with the specified filter. "
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "User [%s] was not found with the specified filter. "
                   "Denying access.\n", state->username);
         found = false;
     }
     else if (results == NULL) {
-        DEBUG(1, "num_results > 0, but results is NULL\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n");
         ret = ERR_INTERNAL;
         goto done;
     }
@@ -887,7 +913,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
         /* It should not be possible to get more than one reply
          * here, since we're doing a base-scoped search
          */
-        DEBUG(1, "Received multiple replies\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n");
         ret = ERR_INTERNAL;
         goto done;
     }
@@ -899,21 +925,21 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
         /* Save "allow" to the cache for future offline
          :q* access checks.
          */
-        DEBUG(6, "Access granted by online lookup\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "Access granted by online lookup\n");
         ret = EOK;
     }
     else {
         /* Save "disallow" to the cache for future offline
          * access checks.
          */
-        DEBUG(6, "Access denied by online lookup\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "Access denied by online lookup\n");
         ret = ERR_ACCESS_DENIED;
     }
 
     attrs = sysdb_new_attrs(state);
     if (attrs == NULL) {
         ret = ENOMEM;
-        DEBUG(1, "Could not set up attrs\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
         goto done;
     }
 
@@ -923,7 +949,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
         /* Failing to save to the cache is non-fatal.
          * Just return the result.
          */
-        DEBUG(1, "Could not set up attrs\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
         goto done;
     }
 
@@ -933,7 +959,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
         /* Failing to save to the cache is non-fatal.
          * Just return the result.
          */
-        DEBUG(1, "Failed to set user access attribute\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user access attribute\n");
         goto done;
     }
 
@@ -970,13 +996,14 @@ static errno_t sdap_access_service(struct pam_data *pd,
 
     el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_SERVICE);
     if (!el || el->num_values == 0) {
-        DEBUG(1, "Missing authorized services. Access denied\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Missing authorized services. Access denied\n");
 
         tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
                                sizeof(AUTHR_SRV_MISSING_MSG),
                                (const uint8_t *) AUTHR_SRV_MISSING_MSG);
         if (tret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         return ERR_ACCESS_DENIED;
@@ -989,13 +1016,13 @@ static errno_t sdap_access_service(struct pam_data *pd,
         if (service[0] == '!' &&
                 strcasecmp(pd->service, service+1) == 0) {
             /* This service is explicitly denied */
-            DEBUG(4, "Access denied by [%s]\n", service);
+            DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", service);
 
             tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
                                    sizeof(AUTHR_SRV_DENY_MSG),
                                    (const uint8_t *) AUTHR_SRV_DENY_MSG);
             if (tret != EOK) {
-                DEBUG(1, "pam_add_response failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
             }
 
             /* A denial trumps all. Break here */
@@ -1003,14 +1030,14 @@ static errno_t sdap_access_service(struct pam_data *pd,
 
         } else if (strcasecmp(pd->service, service) == 0) {
             /* This service is explicitly allowed */
-            DEBUG(4, "Access granted for [%s]\n", service);
+            DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", service);
             /* We still need to loop through to make sure
              * that it's not also explicitly denied
              */
             ret = EOK;
         } else if (strcmp("*", service) == 0) {
             /* This user has access to all services */
-            DEBUG(4, "Access granted to all services\n");
+            DEBUG(SSSDBG_CONF_SETTINGS, "Access granted to all services\n");
             /* We still need to loop through to make sure
              * that it's not also explicitly denied
              */
@@ -1019,13 +1046,13 @@ static errno_t sdap_access_service(struct pam_data *pd,
     }
 
     if (ret == ENOENT) {
-        DEBUG(4, "No matching service rule found\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "No matching service rule found\n");
 
         tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
                                sizeof(AUTHR_SRV_NO_MATCH_MSG),
                                (const uint8_t *) AUTHR_SRV_NO_MATCH_MSG);
         if (tret != EOK) {
-            DEBUG(1, "pam_add_response failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
         }
 
         ret = ERR_ACCESS_DENIED;
@@ -1044,12 +1071,13 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
 
     el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST);
     if (!el || el->num_values == 0) {
-        DEBUG(1, "Missing hosts. Access denied\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Missing hosts. Access denied\n");
         return ERR_ACCESS_DENIED;
     }
 
     if (gethostname(hostname, sizeof(hostname)) == -1) {
-        DEBUG(1, "Unable to get system hostname. Access denied\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Unable to get system hostname. Access denied\n");
         return ERR_ACCESS_DENIED;
     }
 
@@ -1066,20 +1094,20 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
         if (host[0] == '!' &&
                 strcasecmp(hostname, host+1) == 0) {
             /* This host is explicitly denied */
-            DEBUG(4, "Access denied by [%s]\n", host);
+            DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", host);
             /* A denial trumps all. Break here */
             return ERR_ACCESS_DENIED;
 
         } else if (strcasecmp(hostname, host) == 0) {
             /* This host is explicitly allowed */
-            DEBUG(4, "Access granted for [%s]\n", host);
+            DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", host);
             /* We still need to loop through to make sure
              * that it's not also explicitly denied
              */
             ret = EOK;
         } else if (strcmp("*", host) == 0) {
             /* This user has access to all hosts */
-            DEBUG(4, "Access granted to all hosts\n");
+            DEBUG(SSSDBG_CONF_SETTINGS, "Access granted to all hosts\n");
             /* We still need to loop through to make sure
              * that it's not also explicitly denied
              */
@@ -1088,7 +1116,7 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
     }
 
     if (ret == ENOENT) {
-        DEBUG(4, "No matching host rule found\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "No matching host rule found\n");
         ret = ERR_ACCESS_DENIED;
     }
 
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index b6ba90744..039510777 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -33,7 +33,7 @@ void make_realm_upper_case(const char *upn)
 
     c = strchr(upn, REALM_SEPARATOR);
     if (c == NULL) {
-        DEBUG(9, "No realm delimiter found in upn [%s].\n", upn);
+        DEBUG(SSSDBG_TRACE_ALL, "No realm delimiter found in upn [%s].\n", upn);
         return;
     }
 
@@ -100,7 +100,8 @@ static void sdap_handle_release(struct sdap_handle *sh)
 {
     struct sdap_op *op;
 
-    DEBUG(8, "Trace: sh[%p], connected[%d], ops[%p], ldap[%p], "
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Trace: sh[%p], connected[%d], ops[%p], ldap[%p], "
               "destructor_lock[%d], release_memory[%d]\n",
               sh, (int)sh->connected, sh->ops, sh->ldap,
               (int)sh->destructor_lock, (int)sh->release_memory);
@@ -168,11 +169,12 @@ static void sdap_process_result(struct tevent_context *ev, void *pvt)
     LDAPMessage *msg;
     int ret;
 
-    DEBUG(8, "Trace: sh[%p], connected[%d], ops[%p], ldap[%p]\n",
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Trace: sh[%p], connected[%d], ops[%p], ldap[%p]\n",
               sh, (int)sh->connected, sh->ops, sh->ldap);
 
     if (!sh->connected || !sh->ldap) {
-        DEBUG(2, "ERROR: LDAP connection is not connected!\n");
+        DEBUG(SSSDBG_OP_FAILURE, "ERROR: LDAP connection is not connected!\n");
         sdap_handle_release(sh);
         return;
     }
@@ -181,7 +183,7 @@ static void sdap_process_result(struct tevent_context *ev, void *pvt)
     if (ret == 0) {
         /* this almost always means we have reached the end of
          * the list of received messages */
-        DEBUG(8, "Trace: ldap_result found nothing!\n");
+        DEBUG(SSSDBG_TRACE_INTERNAL, "Trace: ldap_result found nothing!\n");
         return;
     }
 
@@ -203,7 +205,8 @@ static void sdap_process_result(struct tevent_context *ev, void *pvt)
 
     te = tevent_add_timer(ev, sh, no_timeout, sdap_ldap_next_result, sh);
     if (!te) {
-        DEBUG(1, "Failed to add critical timer to fetch next result!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Failed to add critical timer to fetch next result!\n");
     }
 
     /* now process this message */
@@ -281,7 +284,7 @@ static void sdap_process_message(struct tevent_context *ev,
 
     msgid = ldap_msgid(msg);
     if (msgid == -1) {
-        DEBUG(2, "can't fire callback, message id invalid!\n");
+        DEBUG(SSSDBG_OP_FAILURE, "can't fire callback, message id invalid!\n");
         ldap_msgfree(msg);
         return;
     }
@@ -293,7 +296,8 @@ static void sdap_process_message(struct tevent_context *ev,
     }
 
     if (op == NULL) {
-        DEBUG(2, "Unmatched msgid, discarding message (type: %0x)\n",
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unmatched msgid, discarding message (type: %0x)\n",
                   msgtype);
         ldap_msgfree(msg);
         return;
@@ -301,12 +305,14 @@ static void sdap_process_message(struct tevent_context *ev,
 
     /* shouldn't happen */
     if (op->done) {
-        DEBUG(2, "Operation [%p] already handled (type: %0x)\n", op, msgtype);
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Operation [%p] already handled (type: %0x)\n", op, msgtype);
         ldap_msgfree(msg);
         return;
     }
 
-    DEBUG(9, "Message type: [%s]\n", sdap_ldap_result_str(msgtype));
+    DEBUG(SSSDBG_TRACE_ALL,
+          "Message type: [%s]\n", sdap_ldap_result_str(msgtype));
 
     switch (msgtype) {
     case LDAP_RES_SEARCH_ENTRY:
@@ -334,7 +340,8 @@ static void sdap_process_message(struct tevent_context *ev,
 
     default:
         /* unkwon msg type ?? */
-        DEBUG(1, "Couldn't figure out the msg type! [%0x]\n", msgtype);
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Couldn't figure out the msg type! [%0x]\n", msgtype);
         ldap_msgfree(msg);
         return;
     }
@@ -395,7 +402,8 @@ static void sdap_unlock_next_reply(struct sdap_op *op)
         te = tevent_add_timer(op->ev, op, tv,
                               sdap_process_next_reply, op);
         if (!te) {
-            DEBUG(1, "Failed to add critical timer for next reply!\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to add critical timer for next reply!\n");
             op->callback(op, NULL, EFAULT, op->data);
         }
     }
@@ -435,7 +443,7 @@ static void sdap_op_timeout(struct tevent_req *req)
 
     /* should never happen, but just in case */
     if (op->done) {
-        DEBUG(2, "Timeout happened after op was finished !?\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Timeout happened after op was finished !?\n");
         return;
     }
 
@@ -523,7 +531,7 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
 
     ber = ber_alloc_t( LBER_USE_DER );
     if (ber == NULL) {
-        DEBUG(7, "ber_alloc_t failed.\n");
+        DEBUG(SSSDBG_TRACE_LIBS, "ber_alloc_t failed.\n");
         talloc_zfree(req);
         return NULL;
     }
@@ -533,7 +541,7 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
                      LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, password,
                      LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, new_password);
     if (ret == -1) {
-        DEBUG(1, "ber_printf failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_printf failed.\n");
         ber_free(ber, 1);
         talloc_zfree(req);
         return NULL;
@@ -542,7 +550,7 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
     ret = ber_flatten(ber, &bv);
     ber_free(ber, 1);
     if (ret == -1) {
-        DEBUG(1, "ber_flatten failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_flatten failed.\n");
         talloc_zfree(req);
         return NULL;
     }
@@ -550,31 +558,32 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
     ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST,
                               0, NULL, 0, &ctrls[0]);
     if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
-        DEBUG(1, "sdap_control_create failed to create "
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed to create "
                   "Password Policy control.\n");
         ret = ERR_INTERNAL;
         goto fail;
     }
     request_controls = ctrls;
 
-    DEBUG(4, "Executing extended operation\n");
+    DEBUG(SSSDBG_CONF_SETTINGS, "Executing extended operation\n");
 
     ret = ldap_extended_operation(state->sh->ldap, LDAP_EXOP_MODIFY_PASSWD,
                                   bv, request_controls, NULL, &msgid);
     ber_bvfree(bv);
     if (ctrls[0]) ldap_control_free(ctrls[0]);
     if (ret == -1 || msgid == -1) {
-        DEBUG(1, "ldap_extended_operation failed\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ldap_extended_operation failed\n");
         ret = ERR_NETWORK_IO;
         goto fail;
     }
-    DEBUG(8, "ldap_extended_operation sent, msgid = %d\n", msgid);
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "ldap_extended_operation sent, msgid = %d\n", msgid);
 
     /* FIXME: get timeouts from configuration, for now 5 secs. */
     ret = sdap_op_add(state, ev, state->sh, msgid,
                       sdap_exop_modify_passwd_done, req, 5, &state->op);
     if (ret) {
-        DEBUG(1, "Failed to set up operation!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n");
         ret = ERR_INTERNAL;
         goto fail;
     }
@@ -612,16 +621,17 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
                             &result, NULL, &errmsg, NULL,
                             &response_controls, 0);
     if (ret != LDAP_SUCCESS) {
-        DEBUG(2, "ldap_parse_result failed (%d)\n", state->op->msgid);
+        DEBUG(SSSDBG_OP_FAILURE,
+              "ldap_parse_result failed (%d)\n", state->op->msgid);
         ret = ERR_INTERNAL;
         goto done;
     }
 
     if (response_controls == NULL) {
-        DEBUG(5, "Server returned no controls.\n");
+        DEBUG(SSSDBG_FUNC_DATA, "Server returned no controls.\n");
     } else {
         for (c = 0; response_controls[c] != NULL; c++) {
-            DEBUG(9, "Server returned control [%s].\n",
+            DEBUG(SSSDBG_TRACE_ALL, "Server returned control [%s].\n",
                       response_controls[c]->ldctl_oid);
             if (strcmp(response_controls[c]->ldctl_oid,
                        LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) {
@@ -630,19 +640,21 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
                                                         &pp_expire, &pp_grace,
                                                         &pp_error);
                 if (ret != LDAP_SUCCESS) {
-                    DEBUG(1, "ldap_parse_passwordpolicy_control failed.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "ldap_parse_passwordpolicy_control failed.\n");
                     ret = ERR_NETWORK_IO;
                     goto done;
                 }
 
-                DEBUG(7, "Password Policy Response: expire [%d] grace [%d] "
+                DEBUG(SSSDBG_TRACE_LIBS,
+                      "Password Policy Response: expire [%d] grace [%d] "
                           "error [%s].\n", pp_expire, pp_grace,
                           ldap_passwordpolicy_err2txt(pp_error));
             }
         }
     }
 
-    DEBUG(3, "ldap_extended_operation result: %s(%d), %s\n",
+    DEBUG(SSSDBG_MINOR_FAILURE, "ldap_extended_operation result: %s(%d), %s\n",
             sss_ldap_err2string(result), result, errmsg);
 
     switch (result) {
@@ -664,7 +676,7 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
         if (errmsg) {
             state->user_error_message = talloc_strdup(state, errmsg);
             if (state->user_error_message == NULL) {
-                DEBUG(1, "talloc_strdup failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
                 ret = ENOMEM;
                 goto done;
             }
@@ -866,7 +878,7 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx,
             NULL
     };
 
-    DEBUG(9, "Getting rootdse\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Getting rootdse\n");
 
     req = tevent_req_create(memctx, &state, struct sdap_get_rootdse_state);
     if (!req) return NULL;
@@ -916,7 +928,7 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
     }
 
     if (num_results == 0 || !results) {
-        DEBUG(2, "RootDSE could not be retrieved. "
+        DEBUG(SSSDBG_OP_FAILURE, "RootDSE could not be retrieved. "
                   "Please check that anonymous access to RootDSE is allowed\n"
               );
         tevent_req_error(req, ENOENT);
@@ -924,7 +936,8 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
     }
 
     if (num_results > 1) {
-        DEBUG(2, "Multiple replies when searching for RootDSE ??\n");
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Multiple replies when searching for RootDSE ??\n");
         tevent_req_error(req, EIO);
         return;
     }
@@ -1042,7 +1055,7 @@ static errno_t add_to_reply(TALLOC_CTX *mem_ctx,
                                        struct sysdb_attrs *,
                                        sreply->reply_max);
         if (sreply->reply == NULL) {
-            DEBUG(1, "talloc_realloc failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc failed.\n");
             return ENOMEM;
         }
     }
@@ -1075,7 +1088,7 @@ static errno_t add_to_deref_reply(TALLOC_CTX *mem_ctx,
                                         struct sdap_deref_attrs *,
                                         dreply->reply_max);
             if (dreply->reply == NULL) {
-                DEBUG(1, "talloc_realloc failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc failed.\n");
                 return ENOMEM;
             }
         }
@@ -1260,7 +1273,8 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
 
         if (state->attrs) {
             for (i = 0; state->attrs[i]; i++) {
-                DEBUG(7, "Requesting attrs: [%s]\n", state->attrs[i]);
+                DEBUG(SSSDBG_TRACE_LIBS,
+                      "Requesting attrs: [%s]\n", state->attrs[i]);
             }
         }
     }
@@ -1294,13 +1308,14 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
     ldap_control_free(page_control);
     state->serverctrls[state->nserverctrls] = NULL;
     if (lret != LDAP_SUCCESS) {
-        DEBUG(3, "ldap_search_ext failed: %s\n", sss_ldap_err2string(lret));
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "ldap_search_ext failed: %s\n", sss_ldap_err2string(lret));
         if (lret == LDAP_SERVER_DOWN) {
             ret = ETIMEDOUT;
             optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
                                                  &errmsg);
             if (optret == LDAP_SUCCESS) {
-                DEBUG(3, "Connection error: %s\n", errmsg);
+                DEBUG(SSSDBG_MINOR_FAILURE, "Connection error: %s\n", errmsg);
                 sss_log(SSS_LOG_ERR, "LDAP connection error: %s", errmsg);
             }
             else {
@@ -1314,14 +1329,14 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
         }
         goto done;
     }
-    DEBUG(8, "ldap_search_ext called, msgid = %d\n", msgid);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "ldap_search_ext called, msgid = %d\n", msgid);
 
     ret = sdap_op_add(state, state->ev, state->sh, msgid,
                       sdap_get_generic_ext_done, req,
                       state->timeout,
                       &state->op);
     if (ret != EOK) {
-        DEBUG(1, "Failed to set up operation!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n");
         goto done;
     }
 
@@ -1362,7 +1377,7 @@ static void sdap_get_generic_ext_done(struct sdap_op *op,
     case LDAP_RES_SEARCH_ENTRY:
         ret = state->parse_cb(state->sh, reply, state->cb_data);
         if (ret != EOK) {
-            DEBUG(1, "reply parsing callback failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "reply parsing callback failed.\n");
             tevent_req_error(req, ret);
             return;
         }
@@ -1375,12 +1390,13 @@ static void sdap_get_generic_ext_done(struct sdap_op *op,
                                 &result, NULL, &errmsg, NULL,
                                 &returned_controls, 0);
         if (ret != LDAP_SUCCESS) {
-            DEBUG(2, "ldap_parse_result failed (%d)\n", state->op->msgid);
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "ldap_parse_result failed (%d)\n", state->op->msgid);
             tevent_req_error(req, EIO);
             return;
         }
 
-        DEBUG(6, "Search result: %s(%d), %s\n",
+        DEBUG(SSSDBG_TRACE_FUNC, "Search result: %s(%d), %s\n",
                   sss_ldap_err2string(result), result,
                   errmsg ? errmsg : "no errmsg set");
 
@@ -1428,7 +1444,7 @@ static void sdap_get_generic_ext_done(struct sdap_op *op,
                                                &total_count, &cookie);
         ldap_controls_free(returned_controls);
         if (lret != LDAP_SUCCESS) {
-            DEBUG(1, "Could not determine page control");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Could not determine page control");
             tevent_req_error(req, EIO);
             return;
         }
@@ -1546,14 +1562,15 @@ static errno_t sdap_get_generic_parse_entry(struct sdap_handle *sh,
                            state->map, state->map_num_attrs,
                            &attrs, NULL, disable_range_rtrvl);
     if (ret != EOK) {
-        DEBUG(3, "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret));
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret));
         return ret;
     }
 
     ret = add_to_reply(state, &state->sreply, attrs);
     if (ret != EOK) {
         talloc_free(attrs);
-        DEBUG(1, "add_to_reply failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "add_to_reply failed.\n");
         return ret;
     }
 
@@ -1570,7 +1587,8 @@ static void sdap_get_generic_done(struct tevent_req *subreq)
     ret = sdap_get_generic_ext_recv(subreq);
     talloc_zfree(subreq);
     if (ret) {
-        DEBUG(4, "sdap_get_generic_ext_recv failed [%d]: %s\n",
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "sdap_get_generic_ext_recv failed [%d]: %s\n",
                   ret, sss_strerror(ret));
         tevent_req_error(req, ret);
         return;
@@ -1647,12 +1665,13 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
     ret = sdap_x_deref_create_control(sh, deref_attr,
                                       attrs, &state->ctrls[0]);
     if (ret != EOK) {
-        DEBUG(1, "Could not create OpenLDAP deref control\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Could not create OpenLDAP deref control\n");
         talloc_zfree(req);
         return NULL;
     }
 
-    DEBUG(6, "Dereferencing entry [%s] using OpenLDAP deref\n", base_dn);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Dereferencing entry [%s] using OpenLDAP deref\n", base_dn);
     subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn,
                                        LDAP_SCOPE_BASE, NULL, attrs,
                                        false, state->ctrls, NULL, 0, timeout,
@@ -1683,7 +1702,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh,
 
     ret = ldap_create_deref_control_value(sh->ldap, ds, &derefval);
     if (ret != LDAP_SUCCESS) {
-        DEBUG(1, "sss_ldap_control_create failed: %s\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed: %s\n",
                   ldap_err2string(ret));
         return ret;
     }
@@ -1692,7 +1711,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh,
                               1, &derefval, 1, ctrl);
     ldap_memfree(derefval.bv_val);
     if (ret != EOK) {
-        DEBUG(1, "sss_ldap_control_create failed\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed\n");
         return ret;
     }
 
@@ -1790,7 +1809,8 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
     ret = sdap_get_generic_ext_recv(subreq);
     talloc_zfree(subreq);
     if (ret) {
-        DEBUG(4, "sdap_get_generic_ext_recv failed [%d]: %s\n",
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "sdap_get_generic_ext_recv failed [%d]: %s\n",
                   ret, sss_strerror(ret));
         tevent_req_error(req, ret);
         return;
@@ -1875,11 +1895,11 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
     ret = sdap_asq_search_create_control(sh, deref_attr, &state->ctrls[0]);
     if (ret != EOK) {
         talloc_zfree(req);
-        DEBUG(1, "Could not create ASQ control\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Could not create ASQ control\n");
         return NULL;
     }
 
-    DEBUG(6, "Dereferencing entry [%s] using ASQ\n", base_dn);
+    DEBUG(SSSDBG_TRACE_FUNC, "Dereferencing entry [%s] using ASQ\n", base_dn);
     subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn,
                                        LDAP_SCOPE_BASE, NULL, attrs,
                                        false, state->ctrls, NULL, 0, timeout,
@@ -1905,13 +1925,13 @@ static int sdap_asq_search_create_control(struct sdap_handle *sh,
 
     ber = ber_alloc_t(LBER_USE_DER);
     if (ber == NULL) {
-        DEBUG(2, "ber_alloc_t failed.\n");
+        DEBUG(SSSDBG_OP_FAILURE, "ber_alloc_t failed.\n");
         return ENOMEM;
     }
 
     ret = ber_printf(ber, "{s}", attr);
     if (ret == -1) {
-        DEBUG(2, "ber_printf failed.\n");
+        DEBUG(SSSDBG_OP_FAILURE, "ber_printf failed.\n");
         ber_free(ber, 1);
         return EIO;
     }
@@ -1919,14 +1939,14 @@ static int sdap_asq_search_create_control(struct sdap_handle *sh,
     ret = ber_flatten(ber, &asqval);
     ber_free(ber, 1);
     if (ret == -1) {
-        DEBUG(1, "ber_flatten failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_flatten failed.\n");
         return EIO;
     }
 
     ret = sdap_control_create(sh, LDAP_SERVER_ASQ_OID, 1, asqval, 1, ctrl);
     ber_bvfree(asqval);
     if (ret != EOK) {
-        DEBUG(1, "sdap_control_create failed\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed\n");
         return ret;
     }
 
@@ -2021,7 +2041,8 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
                                map, num_attrs,
                                &res[mi]->attrs, NULL, disable_range_rtrvl);
         if (ret != EOK) {
-            DEBUG(3, "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret));
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret));
             goto done;
         }
     }
@@ -2030,7 +2051,7 @@ static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh,
     ret = add_to_deref_reply(state, state->num_maps,
                              &state->dreply, res);
     if (ret != EOK) {
-        DEBUG(1, "add_to_deref_reply failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "add_to_deref_reply failed.\n");
         goto done;
     }
 
@@ -2049,7 +2070,8 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
     ret = sdap_get_generic_ext_recv(subreq);
     talloc_zfree(subreq);
     if (ret) {
-        DEBUG(4, "sdap_get_generic_ext_recv failed [%d]: %s\n",
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "sdap_get_generic_ext_recv failed [%d]: %s\n",
                   ret, sss_strerror(ret));
         tevent_req_error(req, ret);
         return;
@@ -2322,29 +2344,30 @@ sdap_deref_search_send(TALLOC_CTX *memctx,
     state->reply = NULL;
 
     if (sdap_is_control_supported(sh, LDAP_SERVER_ASQ_OID)) {
-        DEBUG(8, "Server supports ASQ\n");
+        DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports ASQ\n");
         state->deref_type = SDAP_DEREF_ASQ;
 
         subreq = sdap_asq_search_send(state, ev, opts, sh, base_dn,
                                       deref_attr, attrs, maps, num_maps,
                                       timeout);
         if (!subreq) {
-            DEBUG(2, "Cannot start ASQ search\n");
+            DEBUG(SSSDBG_OP_FAILURE, "Cannot start ASQ search\n");
             goto fail;
         }
     } else if (sdap_is_control_supported(sh, LDAP_CONTROL_X_DEREF)) {
-        DEBUG(8, "Server supports OpenLDAP deref\n");
+        DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports OpenLDAP deref\n");
         state->deref_type = SDAP_DEREF_OPENLDAP;
 
         subreq = sdap_x_deref_search_send(state, ev, opts, sh, base_dn,
                                           deref_attr, attrs, maps, num_maps,
                                           timeout);
         if (!subreq) {
-            DEBUG(2, "Cannot start OpenLDAP deref search\n");
+            DEBUG(SSSDBG_OP_FAILURE, "Cannot start OpenLDAP deref search\n");
             goto fail;
         }
     } else {
-        DEBUG(2, "Server does not support any known deref method!\n");
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Server does not support any known deref method!\n");
         goto fail;
     }
 
@@ -2374,14 +2397,15 @@ static void sdap_deref_search_done(struct tevent_req *subreq)
                 &state->reply_count, &state->reply);
         break;
     default:
-        DEBUG(1, "Unknown deref method\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unknown deref method\n");
         tevent_req_error(req, EINVAL);
         return;
     }
 
     talloc_zfree(subreq);
     if (ret != EOK) {
-        DEBUG(2, "dereference processing failed [%d]: %s\n", ret, strerror(ret));
+        DEBUG(SSSDBG_OP_FAILURE,
+              "dereference processing failed [%d]: %s\n", ret, strerror(ret));
         if (ret == ENOTSUP) {
             sss_log(SSS_LOG_WARNING,
                 "LDAP server claims to support deref, but deref search failed. "
@@ -2434,7 +2458,7 @@ bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts)
 
     for (i=0; deref_oids[i][0]; i++) {
         if (sdap_is_control_supported(sh, deref_oids[i][0])) {
-            DEBUG(6, "The server supports deref method %s\n",
+            DEBUG(SSSDBG_TRACE_FUNC, "The server supports deref method %s\n",
                       deref_oids[i][1]);
             return true;
         }
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 2494837eb..7103976e6 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -41,7 +41,7 @@ errno_t deref_string_to_val(const char *str, int *val)
     } else if (strcasecmp(str, "always") == 0) {
         *val = LDAP_DEREF_ALWAYS;
     } else {
-        DEBUG(1, "Illegal deref option [%s].\n", str);
+        DEBUG(SSSDBG_CRIT_FAILURE, "Illegal deref option [%s].\n", str);
         return EINVAL;
     }
 
@@ -125,7 +125,7 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
                                 timeout);
     if (subreq == NULL) {
         ret = ENOMEM;
-        DEBUG(1, "sss_ldap_init_send failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_init_send failed.\n");
         goto fail;
     }
 
@@ -164,14 +164,14 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
     talloc_zfree(subreq);
     if (ret != EOK) {
-        DEBUG(1, "sdap_async_connect_call request failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_async_connect_call request failed.\n");
         tevent_req_error(req, ret);
         return;
     }
 
     ret = setup_ldap_connection_callbacks(state->sh, state->ev);
     if (ret != EOK) {
-        DEBUG(1, "setup_ldap_connection_callbacks failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "setup_ldap_connection_callbacks failed.\n");
         goto fail;
     }
 
@@ -181,7 +181,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     if (sd != -1) {
         ret = sdap_call_conn_cb(state->uri, sd, state->sh);
         if (ret != EOK) {
-            DEBUG(1, "sdap_call_conn_cb failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "sdap_call_conn_cb failed.\n");
             goto fail;
         }
     }
@@ -190,7 +190,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     ver = LDAP_VERSION3;
     lret = ldap_set_option(state->sh->ldap, LDAP_OPT_PROTOCOL_VERSION, &ver);
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to set ldap version to 3\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set ldap version to 3\n");
         goto fail;
     }
 
@@ -198,7 +198,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
      * to handle EINTR during poll(). */
     ret = ldap_set_option(state->sh->ldap, LDAP_OPT_RESTART, LDAP_OPT_ON);
     if (ret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to set restart option.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set restart option.\n");
     }
 
     /* Set Network Timeout */
@@ -206,7 +206,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     tv.tv_usec = 0;
     lret = ldap_set_option(state->sh->ldap, LDAP_OPT_NETWORK_TIMEOUT, &tv);
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to set network timeout to %d\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set network timeout to %d\n",
                   dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT));
         goto fail;
     }
@@ -216,7 +216,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     tv.tv_usec = 0;
     lret = ldap_set_option(state->sh->ldap, LDAP_OPT_TIMEOUT, &tv);
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to set default timeout to %d\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set default timeout to %d\n",
                   dp_opt_get_int(state->opts->basic, SDAP_OPT_TIMEOUT));
         goto fail;
     }
@@ -226,7 +226,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     lret = ldap_set_option(state->sh->ldap, LDAP_OPT_REFERRALS,
                            (ldap_referrals ? LDAP_OPT_ON : LDAP_OPT_OFF));
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to set referral chasing to %s\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set referral chasing to %s\n",
                   (ldap_referrals ? "LDAP_OPT_ON" : "LDAP_OPT_OFF"));
         goto fail;
     }
@@ -235,7 +235,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
         rebind_proc_params = talloc_zero(state->sh,
                                          struct sdap_rebind_proc_params);
         if (rebind_proc_params == NULL) {
-            DEBUG(1, "talloc_zero failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
             ret = ENOMEM;
             goto fail;
         }
@@ -247,7 +247,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
         lret = ldap_set_rebind_proc(state->sh->ldap, sdap_rebind_proc,
                                     rebind_proc_params);
         if (lret != LDAP_SUCCESS) {
-            DEBUG(1, "ldap_set_rebind_proc failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "ldap_set_rebind_proc failed.\n");
             goto fail;
         }
     }
@@ -257,13 +257,14 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     if (ldap_deref != NULL) {
         ret = deref_string_to_val(ldap_deref, &ldap_deref_val);
         if (ret != EOK) {
-            DEBUG(1, "deref_string_to_val failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "deref_string_to_val failed.\n");
             goto fail;
         }
 
         lret = ldap_set_option(state->sh->ldap, LDAP_OPT_DEREF, &ldap_deref_val);
         if (lret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "Failed to set deref option to %d\n", ldap_deref_val);
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to set deref option to %d\n", ldap_deref_val);
             goto fail;
         }
 
@@ -307,20 +308,20 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
         return;
     }
 
-    DEBUG(4, "Executing START TLS\n");
+    DEBUG(SSSDBG_CONF_SETTINGS, "Executing START TLS\n");
 
     lret = ldap_start_tls(state->sh->ldap, NULL, NULL, &msgid);
     if (lret != LDAP_SUCCESS) {
         optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
                                              &errmsg);
         if (optret == LDAP_SUCCESS) {
-            DEBUG(3, "ldap_start_tls failed: [%s] [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_start_tls failed: [%s] [%s]\n",
                       sss_ldap_err2string(lret),
                       errmsg);
             sss_log(SSS_LOG_ERR, "Could not start TLS. %s", errmsg);
         }
         else {
-            DEBUG(3, "ldap_start_tls failed: [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_start_tls failed: [%s]\n",
                       sss_ldap_err2string(lret));
             sss_log(SSS_LOG_ERR, "Could not start TLS. "
                                  "Check for certificate issues.");
@@ -335,7 +336,7 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
     ret = sdap_op_add(state, state->ev, state->sh, msgid,
                       sdap_connect_done, req, 5, &state->op);
     if (ret) {
-        DEBUG(1, "Failed to set up operation!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n");
         goto fail;
     }
 
@@ -376,17 +377,18 @@ static void sdap_connect_done(struct sdap_op *op,
     ret = ldap_parse_result(state->sh->ldap, state->reply->msg,
                             &state->result, NULL, &errmsg, NULL, NULL, 0);
     if (ret != LDAP_SUCCESS) {
-        DEBUG(2, "ldap_parse_result failed (%d)\n", state->op->msgid);
+        DEBUG(SSSDBG_OP_FAILURE,
+              "ldap_parse_result failed (%d)\n", state->op->msgid);
         tevent_req_error(req, EIO);
         return;
     }
 
-    DEBUG(3, "START TLS result: %s(%d), %s\n",
+    DEBUG(SSSDBG_MINOR_FAILURE, "START TLS result: %s(%d), %s\n",
               sss_ldap_err2string(state->result), state->result, errmsg);
     ldap_memfree(errmsg);
 
     if (ldap_tls_inplace(state->sh->ldap)) {
-        DEBUG(9, "SSL/TLS handler already in place.\n");
+        DEBUG(SSSDBG_TRACE_ALL, "SSL/TLS handler already in place.\n");
         tevent_req_done(req);
         return;
     }
@@ -398,13 +400,13 @@ static void sdap_connect_done(struct sdap_op *op,
         optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
                                              &tlserr);
         if (optret == LDAP_SUCCESS) {
-            DEBUG(3, "ldap_install_tls failed: [%s] [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s] [%s]\n",
                       sss_ldap_err2string(ret),
                       tlserr);
             sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
         }
         else {
-            DEBUG(3, "ldap_install_tls failed: [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s]\n",
                       sss_ldap_err2string(ret));
             sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
                                  "Check for certificate issues.");
@@ -669,13 +671,14 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
     ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
                                   0, NULL, 0, &ctrls[0]);
     if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
-        DEBUG(1, "sss_ldap_control_create failed to create "
+        DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed to create "
                   "Password Policy control.\n");
         goto fail;
     }
     request_controls = ctrls;
 
-    DEBUG(4, "Executing simple bind as: %s\n", state->user_dn);
+    DEBUG(SSSDBG_CONF_SETTINGS,
+          "Executing simple bind as: %s\n", state->user_dn);
 
     ret = ldap_sasl_bind(state->sh->ldap, state->user_dn, LDAP_SASL_SIMPLE,
                          pw, request_controls, NULL, &msgid);
@@ -684,16 +687,17 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
         ret = ldap_get_option(state->sh->ldap,
                               LDAP_OPT_RESULT_CODE, &ldap_err);
         if (ret != LDAP_OPT_SUCCESS) {
-            DEBUG(1, "ldap_bind failed (couldn't get ldap error)\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_bind failed (couldn't get ldap error)\n");
             ret = LDAP_LOCAL_ERROR;
         } else {
-            DEBUG(1, "ldap_bind failed (%d)[%s]\n",
+            DEBUG(SSSDBG_CRIT_FAILURE, "ldap_bind failed (%d)[%s]\n",
                       ldap_err, sss_ldap_err2string(ldap_err));
             ret = ldap_err;
         }
         goto fail;
     }
-    DEBUG(8, "ldap simple bind sent, msgid = %d\n", msgid);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "ldap simple bind sent, msgid = %d\n", msgid);
 
     if (!sh->connected) {
         ret = sdap_set_connected(sh, ev);
@@ -704,7 +708,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
     ret = sdap_op_add(state, ev, sh, msgid,
                       simple_bind_done, req, 5, &state->op);
     if (ret) {
-        DEBUG(1, "Failed to set up operation!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n");
         goto fail;
     }
 
@@ -782,7 +786,8 @@ static void simple_bind_done(struct sdap_op *op,
                     goto done;
                 }
 
-                DEBUG(7, "Password Policy Response: expire [%d] grace [%d] "
+                DEBUG(SSSDBG_TRACE_LIBS,
+                      "Password Policy Response: expire [%d] grace [%d] "
                           "error [%s].\n", pp_expire, pp_grace,
                           ldap_passwordpolicy_err2txt(pp_error));
                 if (!state->ppolicy)
@@ -933,7 +938,7 @@ static struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx,
     state->sasl_user = sasl_user;
     state->sasl_cred = sasl_cred;
 
-    DEBUG(4, "Executing sasl bind mech: %s, user: %s\n",
+    DEBUG(SSSDBG_CONF_SETTINGS, "Executing sasl bind mech: %s, user: %s\n",
               sasl_mech, sasl_user);
 
     /* FIXME: Warning, this is a sync call!
@@ -1075,12 +1080,12 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
     struct sdap_kinit_state *state;
     int ret;
 
-    DEBUG(6, "Attempting kinit (%s, %s, %s, %d)\n",
+    DEBUG(SSSDBG_TRACE_FUNC, "Attempting kinit (%s, %s, %s, %d)\n",
               keytab ? keytab : "default",
               principal, realm, lifetime);
 
     if (lifetime < 0 || lifetime > INT32_MAX) {
-        DEBUG(1, "Ticket lifetime out of range.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Ticket lifetime out of range.\n");
         return NULL;
     }
 
@@ -1099,7 +1104,8 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
     if (keytab) {
         ret = setenv("KRB5_KTNAME", keytab, 1);
         if (ret == -1) {
-            DEBUG(2, "Failed to set KRB5_KTNAME to %s\n", keytab);
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Failed to set KRB5_KTNAME to %s\n", keytab);
             talloc_free(req);
             return NULL;
         }
@@ -1111,7 +1117,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
         ret = setenv("KRB5_CANONICALIZE", "false", 1);
     }
     if (ret == -1) {
-        DEBUG(2, "Failed to set KRB5_CANONICALIZE to %s\n",
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to set KRB5_CANONICALIZE to %s\n",
                   ((canonicalize)?"true":"false"));
         talloc_free(req);
         return NULL;
@@ -1132,14 +1138,15 @@ static struct tevent_req *sdap_kinit_next_kdc(struct tevent_req *req)
     struct sdap_kinit_state *state = tevent_req_data(req,
                                                     struct sdap_kinit_state);
 
-    DEBUG(7, "Resolving next KDC for service %s\n", state->krb_service_name);
+    DEBUG(SSSDBG_TRACE_LIBS,
+          "Resolving next KDC for service %s\n", state->krb_service_name);
 
     next_req = be_resolve_server_send(state, state->ev,
                                       state->be,
                                       state->krb_service_name,
                                       state->kdc_srv == NULL ? true : false);
     if (next_req == NULL) {
-        DEBUG(1, "be_resolve_server_send failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");
         return NULL;
     }
     tevent_req_set_callback(next_req, sdap_kinit_kdc_resolved, req);
@@ -1165,7 +1172,7 @@ static void sdap_kinit_kdc_resolved(struct tevent_req *subreq)
         return;
     }
 
-    DEBUG(7, "KDC resolved, attempting to get TGT...\n");
+    DEBUG(SSSDBG_TRACE_LIBS, "KDC resolved, attempting to get TGT...\n");
 
     tgtreq = sdap_get_tgt_send(state, state->ev, state->realm,
                                state->principal, state->keytab,
@@ -1208,7 +1215,8 @@ static void sdap_kinit_done(struct tevent_req *subreq)
         return;
     } else if (ret != EOK) {
         /* A severe error while executing the child. Abort the operation. */
-        DEBUG(1, "child failed (%d [%s])\n", ret, strerror(ret));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "child failed (%d [%s])\n", ret, strerror(ret));
         tevent_req_error(req, ret);
         return;
     }
@@ -1216,7 +1224,8 @@ static void sdap_kinit_done(struct tevent_req *subreq)
     if (result == EOK) {
         ret = setenv("KRB5CCNAME", ccname, 1);
         if (ret == -1) {
-            DEBUG(2, "Unable to set env. variable KRB5CCNAME!\n");
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Unable to set env. variable KRB5CCNAME!\n");
             tevent_req_error(req, ERR_AUTH_FAILED);
         }
 
@@ -1236,7 +1245,8 @@ static void sdap_kinit_done(struct tevent_req *subreq)
 
     }
 
-    DEBUG(4, "Could not get TGT: %d [%s]\n", result, sss_strerror(result));
+    DEBUG(SSSDBG_CONF_SETTINGS,
+          "Could not get TGT: %d [%s]\n", result, sss_strerror(result));
     tevent_req_error(req, ERR_AUTH_FAILED);
 }
 
@@ -1298,7 +1308,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
 
         ret = sss_authtok_get_password(authtok, &password, &pwlen);
         if (ret != EOK) {
-            DEBUG(1, "Cannot parse authtok.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse authtok.\n");
             tevent_req_error(req, ret);
             return tevent_req_post(req, ev);
         }
@@ -1333,7 +1343,8 @@ static int sdap_auth_get_authtok(const char *authtok_type,
         pw->bv_len = authtok.length;
         pw->bv_val = (char *) authtok.data;
     } else {
-        DEBUG(1, "Authentication token type [%s] is not supported\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Authentication token type [%s] is not supported\n",
                   authtok_type);
         return EINVAL;
     }
@@ -1503,7 +1514,8 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq)
     }
 
     if (use_tls && sdap_is_secure_uri(state->service->uri)) {
-        DEBUG(8, "[%s] is a secure channel. No need to run START_TLS\n",
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "[%s] is a secure channel. No need to run START_TLS\n",
                   state->service->uri);
         use_tls = false;
     }
@@ -1965,7 +1977,7 @@ static int synchronous_tls_setup(LDAP *ldap)
     LDAPMessage *result = NULL;
     TALLOC_CTX *tmp_ctx;
 
-    DEBUG(4, "Executing START TLS\n");
+    DEBUG(SSSDBG_CONF_SETTINGS, "Executing START TLS\n");
 
     tmp_ctx = talloc_new(NULL);
     if (!tmp_ctx) return LDAP_NO_MEMORY;
@@ -1974,11 +1986,12 @@ static int synchronous_tls_setup(LDAP *ldap)
     if (lret != LDAP_SUCCESS) {
         optret = sss_ldap_get_diagnostic_msg(tmp_ctx, ldap, &diag_msg);
         if (optret == LDAP_SUCCESS) {
-            DEBUG(3, "ldap_start_tls failed: [%s] [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_start_tls failed: [%s] [%s]\n",
                       sss_ldap_err2string(lret), diag_msg);
             sss_log(SSS_LOG_ERR, "Could not start TLS. %s", diag_msg);
         } else {
-            DEBUG(3, "ldap_start_tls failed: [%s]\n", sss_ldap_err2string(lret));
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "ldap_start_tls failed: [%s]\n", sss_ldap_err2string(lret));
             sss_log(SSS_LOG_ERR, "Could not start TLS. "
                                  "Check for certificate issues.");
         }
@@ -1997,16 +2010,17 @@ static int synchronous_tls_setup(LDAP *ldap)
     lret = ldap_parse_result(ldap, result, &ldaperr, NULL, &errmsg, NULL, NULL,
                              0);
     if (lret != LDAP_SUCCESS) {
-        DEBUG(2, "ldap_parse_result failed (%d) [%d][%s]\n", msgid, lret,
+        DEBUG(SSSDBG_OP_FAILURE,
+              "ldap_parse_result failed (%d) [%d][%s]\n", msgid, lret,
                   sss_ldap_err2string(lret));
         goto done;
     }
 
-    DEBUG(3, "START TLS result: %s(%d), %s\n",
+    DEBUG(SSSDBG_MINOR_FAILURE, "START TLS result: %s(%d), %s\n",
               sss_ldap_err2string(ldaperr), ldaperr, errmsg);
 
     if (ldap_tls_inplace(ldap)) {
-        DEBUG(9, "SSL/TLS handler already in place.\n");
+        DEBUG(SSSDBG_TRACE_ALL, "SSL/TLS handler already in place.\n");
         lret = LDAP_SUCCESS;
         goto done;
     }
@@ -2016,11 +2030,11 @@ static int synchronous_tls_setup(LDAP *ldap)
 
         optret = sss_ldap_get_diagnostic_msg(tmp_ctx, ldap, &diag_msg);
         if (optret == LDAP_SUCCESS) {
-            DEBUG(3, "ldap_install_tls failed: [%s] [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s] [%s]\n",
                       sss_ldap_err2string(lret), diag_msg);
             sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", diag_msg);
         } else {
-            DEBUG(3, "ldap_install_tls failed: [%s]\n",
+            DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s]\n",
                       sss_ldap_err2string(lret));
             sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
                                  "Check for certificate issues.");
@@ -2054,14 +2068,14 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
     if (p->use_start_tls) {
         ret = synchronous_tls_setup(ldap);
         if (ret != LDAP_SUCCESS) {
-            DEBUG(1, "synchronous_tls_setup failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "synchronous_tls_setup failed.\n");
             return ret;
         }
     }
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
-        DEBUG(1, "talloc_new failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
         return LDAP_NO_MEMORY;
     }
 
@@ -2071,7 +2085,8 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
         ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
                                       0, NULL, 0, &ctrls[0]);
         if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
-            DEBUG(1, "sss_ldap_control_create failed to create "
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "sss_ldap_control_create failed to create "
                       "Password Policy control.\n");
             goto done;
         }
@@ -2102,7 +2117,7 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
     } else {
         sasl_bind_state = talloc_zero(tmp_ctx, struct sasl_bind_state);
         if (sasl_bind_state == NULL) {
-            DEBUG(1, "talloc_zero failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
             ret = LDAP_NO_MEMORY;
             goto done;
         }
@@ -2114,12 +2129,13 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
                                            (*sdap_sasl_interact),
                                            sasl_bind_state);
         if (ret != LDAP_SUCCESS) {
-            DEBUG(1, "ldap_sasl_interactive_bind_s failed (%d)[%s]\n", ret,
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ldap_sasl_interactive_bind_s failed (%d)[%s]\n", ret,
                       sss_ldap_err2string(ret));
         }
     }
 
-    DEBUG(7, "%s bind to [%s].\n",
+    DEBUG(SSSDBG_TRACE_LIBS, "%s bind to [%s].\n",
              (ret == LDAP_SUCCESS ? "Successfully" : "Failed to"), url);
 
 done:
diff --git a/src/providers/ldap/sdap_async_enum.c b/src/providers/ldap/sdap_async_enum.c
index 46c07229c..ebd9ffafb 100644
--- a/src/providers/ldap/sdap_async_enum.c
+++ b/src/providers/ldap/sdap_async_enum.c
@@ -611,7 +611,7 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
     /* Terminate the search filter */
     state->filter = talloc_asprintf_append_buffer(state->filter, ")");
     if (!state->filter) {
-        DEBUG(2, "Failed to build base filter\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to build base filter\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -679,7 +679,7 @@ static void enum_users_done(struct tevent_req *subreq)
         }
     }
 
-    DEBUG(4, "Users higher USN value: [%s]\n",
+    DEBUG(SSSDBG_CONF_SETTINGS, "Users higher USN value: [%s]\n",
               state->ctx->srv_opts->max_user_value);
 
     tevent_req_done(req);
@@ -848,7 +848,7 @@ static void enum_groups_done(struct tevent_req *subreq)
         }
     }
 
-    DEBUG(4, "Groups higher USN value: [%s]\n",
+    DEBUG(SSSDBG_CONF_SETTINGS, "Groups higher USN value: [%s]\n",
               state->ctx->srv_opts->max_group_value);
 
     tevent_req_done(req);
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index ff8da1503..930c5ed2d 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -68,7 +68,7 @@ static int sdap_find_entry_by_origDN(TALLOC_CTX *memctx,
         goto done;
     }
 
-    DEBUG(9, "Searching cache for [%s].\n", sanitized_dn);
+    DEBUG(SSSDBG_TRACE_ALL, "Searching cache for [%s].\n", sanitized_dn);
     ret = sysdb_search_entry(tmpctx, ctx,
                              base_dn, LDB_SCOPE_SUBTREE, filter, no_attrs,
                              &num_msgs, &msgs);
@@ -246,7 +246,7 @@ static int sdap_fill_memberships(struct sdap_options *opts,
                 goto done;
             }
 
-            DEBUG(7, "    member #%d (%s): [%s]\n",
+            DEBUG(SSSDBG_TRACE_LIBS, "    member #%d (%s): [%s]\n",
                       i, (char *)values[i].data,
                       (char *)el->values[j].data);
 
@@ -296,7 +296,8 @@ sdap_store_group_with_gid(struct sss_domain_info *domain,
     if (!posix_group) {
         ret = sysdb_attrs_add_uint32(group_attrs, SYSDB_GIDNUM, 0);
         if (ret) {
-            DEBUG(2, "Could not set explicit GID 0 for %s\n", name);
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Could not set explicit GID 0 for %s\n", name);
             return ret;
         }
     }
@@ -304,7 +305,7 @@ sdap_store_group_with_gid(struct sss_domain_info *domain,
     ret = sysdb_store_group(domain, name, gid, group_attrs,
                             cache_timeout, now);
     if (ret) {
-        DEBUG(2, "Could not store group %s\n", name);
+        DEBUG(SSSDBG_OP_FAILURE, "Could not store group %s\n", name);
         return ret;
     }
 
@@ -594,7 +595,8 @@ static int sdap_save_group(TALLOC_CTX *memctx,
                 goto done;
             }
 
-            DEBUG(8, "This is%s a posix group\n", (posix_group)?"":" not");
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "This is%s a posix group\n", (posix_group)?"":" not");
             ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group);
             if (ret != EOK) {
                 DEBUG(SSSDBG_MINOR_FAILURE,
@@ -607,7 +609,8 @@ static int sdap_save_group(TALLOC_CTX *memctx,
                                            opts->group_map[SDAP_AT_GROUP_GID].sys_name,
                                            &gid);
             if (ret != EOK) {
-                DEBUG(1, "no gid provided for [%s] in domain [%s].\n",
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "no gid provided for [%s] in domain [%s].\n",
                           group_name, dom->name);
                 ret = EINVAL;
                 goto done;
@@ -684,7 +687,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
 
     ret = sdap_save_all_names(group_name, attrs, dom, group_attrs);
     if (ret != EOK) {
-        DEBUG(1, "Failed to save group names\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save group names\n");
         goto done;
     }
     DEBUG(SSSDBG_TRACE_FUNC, "Storing info for group %s\n", group_name);
@@ -872,9 +875,10 @@ static int sdap_save_groups(TALLOC_CTX *memctx,
         /* Do not fail completely on errors.
          * Just report the failure to save and go on */
         if (ret) {
-            DEBUG(2, "Failed to store group %d. Ignoring.\n", i);
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Failed to store group %d. Ignoring.\n", i);
         } else {
-            DEBUG(9, "Group %d processed!\n", i);
+            DEBUG(SSSDBG_TRACE_ALL, "Group %d processed!\n", i);
             if (twopass && !populate_members) {
                 saved_groups[nsaved_groups] = groups[i];
                 nsaved_groups++;
@@ -905,9 +909,10 @@ static int sdap_save_groups(TALLOC_CTX *memctx,
             /* Do not fail completely on errors.
              * Just report the failure to save and go on */
             if (ret) {
-                DEBUG(2, "Failed to store group %d members.\n", i);
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "Failed to store group %d members.\n", i);
             } else {
-                DEBUG(9, "Group %d members processed!\n", i);
+                DEBUG(SSSDBG_TRACE_ALL, "Group %d members processed!\n", i);
             }
         }
     }
@@ -1050,7 +1055,7 @@ struct tevent_req *sdap_process_group_send(TALLOC_CTX *memctx,
 
     /* Group without members */
     if (el->num_values == 0) {
-        DEBUG(2, "No Members. Done!\n");
+        DEBUG(SSSDBG_OP_FAILURE, "No Members. Done!\n");
         ret = EOK;
         goto done;
     }
@@ -1100,7 +1105,8 @@ struct tevent_req *sdap_process_group_send(TALLOC_CTX *memctx,
             break;
 
         default:
-            DEBUG(1, "Unknown schema type %d\n", opts->schema_type);
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unknown schema type %d\n", opts->schema_type);
             ret = EINVAL;
             break;
     }
@@ -1109,7 +1115,7 @@ done:
     /* We managed to process all the entries */
     /* EBUSY means we need to wait for entries in LDAP */
     if (ret == EOK) {
-        DEBUG(7, "All group members processed\n");
+        DEBUG(SSSDBG_TRACE_LIBS, "All group members processed\n");
         tevent_req_done(req);
         tevent_req_post(req, ev);
     }
@@ -1138,7 +1144,7 @@ sdap_process_missing_member_2307bis(struct tevent_req *req,
      * connection.
      */
     if (grp_state->check_count > GROUPMEMBER_REQ_PARALLEL) {
-        DEBUG(7, " queueing search for: %s\n", user_dn);
+        DEBUG(SSSDBG_TRACE_LIBS, " queueing search for: %s\n", user_dn);
         if (!grp_state->queued_members) {
             DEBUG(SSSDBG_TRACE_LIBS,
                   "Allocating queue for %zu members\n",
@@ -1199,7 +1205,7 @@ sdap_process_group_members_2307bis(struct tevent_req *req,
              * User already cached in sysdb. Remember the sysdb DN for later
              * use by sdap_save_groups()
              */
-            DEBUG(7, "sysdbdn: %s\n", strdn);
+            DEBUG(SSSDBG_TRACE_LIBS, "sysdbdn: %s\n", strdn);
             state->sysdb_dns->values[state->sysdb_dns->num_values].data =
                 (uint8_t*) strdn;
             state->sysdb_dns->values[state->sysdb_dns->num_values].length =
@@ -1214,18 +1220,21 @@ sdap_process_group_members_2307bis(struct tevent_req *req,
                  * Also, we don't want to be holding the sysdb
                  * transaction while we're performing LDAP lookups.
                  */
-                DEBUG(7, "Searching LDAP for missing user entry\n");
+                DEBUG(SSSDBG_TRACE_LIBS,
+                      "Searching LDAP for missing user entry\n");
                 ret = sdap_process_missing_member_2307bis(req,
                                                           member_dn,
                                                           memberel->num_values);
                 if (ret != EOK) {
-                    DEBUG(1, "Error processing missing member #%d (%s):\n",
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Error processing missing member #%d (%s):\n",
                               i, member_dn);
                     return ret;
                 }
             }
         } else {
-            DEBUG(1, "Error checking cache for member #%d (%s):\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Error checking cache for member #%d (%s):\n",
                        i, (char *)memberel->values[i].data);
             return ret;
         }
@@ -1298,7 +1307,8 @@ sdap_process_missing_member_2307(struct sdap_process_group_state *state,
         /* Entry exists but the group references it with an alias. */
 
         if (count != 1) {
-            DEBUG(1, "More than one entry with this alias?\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "More than one entry with this alias?\n");
             ret = EIO;
             goto done;
         }
@@ -1360,7 +1370,8 @@ sdap_process_group_members_2307(struct sdap_process_group_state *state,
              * User already cached in sysdb. Remember the sysdb DN for later
              * use by sdap_save_groups()
              */
-            DEBUG(7, "Member already cached in sysdb: %s\n", member_name);
+            DEBUG(SSSDBG_TRACE_LIBS,
+                  "Member already cached in sysdb: %s\n", member_name);
 
             userdn = sysdb_user_strdn(state->sysdb_dns, state->dom->name, member_name);
             if (userdn == NULL) {
@@ -1369,22 +1380,25 @@ sdap_process_group_members_2307(struct sdap_process_group_state *state,
 
             ret = sdap_add_group_member_2307(state->sysdb_dns, userdn);
             if (ret != EOK) {
-                DEBUG(1, "Could not add member %s into sysdb\n", member_name);
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "Could not add member %s into sysdb\n", member_name);
                 goto done;
             }
         } else if (ret == ENOENT) {
             /* The user is not in sysdb, need to add it */
-            DEBUG(7, "member #%d (%s): not found in sysdb\n",
+            DEBUG(SSSDBG_TRACE_LIBS, "member #%d (%s): not found in sysdb\n",
                        i, member_name);
 
             ret = sdap_process_missing_member_2307(state, member_name);
             if (ret != EOK) {
-                DEBUG(1, "Error processing missing member #%d (%s):\n",
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "Error processing missing member #%d (%s):\n",
                           i, member_name);
                 goto done;
             }
         } else {
-            DEBUG(1, "Error checking cache for member #%d (%s):\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Error checking cache for member #%d (%s):\n",
                        i, (char *) memberel->values[i].data);
             goto done;
         }
@@ -1434,7 +1448,7 @@ static void sdap_process_group_members(struct tevent_req *subreq)
         ret = EINVAL;
     }
     if (ret) {
-        DEBUG(2, "Failed to get the member's name\n");
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to get the member's name\n");
         goto next;
     }
 
@@ -1500,7 +1514,7 @@ next:
         }
         el->values = talloc_steal(state->group, state->ghost_dns->values);
         el->num_values = state->ghost_dns->num_values;
-        DEBUG(9, "Processed Group - Done\n");
+        DEBUG(SSSDBG_TRACE_ALL, "Processed Group - Done\n");
         tevent_req_done(req);
     }
 }
@@ -1597,7 +1611,7 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
         subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
         state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
         if (!state->op) {
-            DEBUG(2, "sdap_id_op_create failed\n");
+            DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
             ret = ENOMEM;
             goto done;
         }
@@ -1820,7 +1834,7 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
 
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(0, "Failed to start transaction\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start transaction\n");
         tevent_req_error(req, ret);
         return;
     }
@@ -1828,13 +1842,13 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
     if (state->enumeration
             && state->opts->schema_type != SDAP_SCHEMA_RFC2307
             && dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0) {
-        DEBUG(9, "Saving groups without members first "
+        DEBUG(SSSDBG_TRACE_ALL, "Saving groups without members first "
                   "to allow unrolling of nested groups.\n");
         ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts,
                                state->groups, state->count, false,
                                NULL, true, NULL);
         if (ret) {
-            DEBUG(2, "Failed to store groups.\n");
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to store groups.\n");
             tevent_req_error(req, ret);
             return;
         }
@@ -1869,7 +1883,7 @@ static void sdap_get_groups_done(struct tevent_req *subreq)
     if (ret) {
         sysret = sysdb_transaction_cancel(state->sysdb);
         if (sysret != EOK) {
-            DEBUG(0, "Could not cancel sysdb transaction\n");
+            DEBUG(SSSDBG_FATAL_FAILURE, "Could not cancel sysdb transaction\n");
         }
         tevent_req_error(req, ret);
         return;
@@ -1880,7 +1894,7 @@ static void sdap_get_groups_done(struct tevent_req *subreq)
 
 
     if (state->check_count == 0) {
-        DEBUG(9, "All groups processed\n");
+        DEBUG(SSSDBG_TRACE_ALL, "All groups processed\n");
 
         /* If ignore_group_members is set for the domain, don't update
          * group memberships in the cache.
@@ -1894,14 +1908,14 @@ static void sdap_get_groups_done(struct tevent_req *subreq)
                                !state->enumeration,
                                &state->higher_usn);
         if (ret) {
-            DEBUG(2, "Failed to store groups.\n");
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to store groups.\n");
             tevent_req_error(req, ret);
             return;
         }
         DEBUG(SSSDBG_TRACE_ALL, "Saving %zu Groups - Done\n", state->count);
         sysret = sysdb_transaction_commit(state->sysdb);
         if (sysret != EOK) {
-            DEBUG(0, "Couldn't commit transaction\n");
+            DEBUG(SSSDBG_FATAL_FAILURE, "Couldn't commit transaction\n");
             tevent_req_error(req, sysret);
         } else {
             tevent_req_done(req);
@@ -2068,7 +2082,7 @@ static void sdap_nested_done(struct tevent_req *subreq)
                                  &group_count, &groups);
     talloc_zfree(subreq);
     if (ret != EOK) {
-        DEBUG(1, "Nested group processing failed: [%d][%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Nested group processing failed: [%d][%s]\n",
                   ret, strerror(ret));
         goto fail;
     }
@@ -2078,7 +2092,7 @@ static void sdap_nested_done(struct tevent_req *subreq)
      */
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto fail;
     }
     in_transaction = true;
@@ -2099,7 +2113,7 @@ static void sdap_nested_done(struct tevent_req *subreq)
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto fail;
     }
     in_transaction = false;
@@ -2112,7 +2126,7 @@ fail:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     tevent_req_error(req, ret);
@@ -2217,13 +2231,14 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx,
         talloc_zfree(filter);
         talloc_zfree(clean_orig_dn);
         if (ret != EOK && ret != ENOENT) {
-            DEBUG(1, "Error checking cache for user entry\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Error checking cache for user entry\n");
             goto done;
         } else if (ret == EOK) {
             /* The entry is cached but expired. Update the username
              * if needed. */
             if (count != 1) {
-                DEBUG(1, "More than one entry with this origDN? Skipping\n");
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "More than one entry with this origDN? Skipping\n");
                 continue;
             }
 
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index b7c42fa95..5334ef84d 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -80,13 +80,13 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
             continue;
         } else if (ret == ENOENT) {
             missing[mi] = talloc_steal(missing, tmp_name);
-            DEBUG(7, "Group #%d [%s][%s] is not cached, " \
+            DEBUG(SSSDBG_TRACE_LIBS, "Group #%d [%s][%s] is not cached, " \
                       "need to add a fake entry\n",
                       i, groupnames[i], missing[mi]);
             mi++;
             continue;
         } else if (ret != ENOENT) {
-            DEBUG(1, "search for group failed [%d]: %s\n",
+            DEBUG(SSSDBG_CRIT_FAILURE, "search for group failed [%d]: %s\n",
                       ret, strerror(ret));
             goto done;
         }
@@ -180,7 +180,8 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
                         gid = 0;
                         posix = false;
                     } else if (ret) {
-                        DEBUG(1, "The GID attribute is malformed\n");
+                        DEBUG(SSSDBG_CRIT_FAILURE,
+                              "The GID attribute is malformed\n");
                         goto done;
                     }
                 }
@@ -189,7 +190,8 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
                                              SYSDB_ORIG_DN,
                                              &original_dn);
                 if (ret) {
-                    DEBUG(5, "The group has no name original DN\n");
+                    DEBUG(SSSDBG_FUNC_DATA,
+                          "The group has no name original DN\n");
                     original_dn = NULL;
                 }
 
@@ -206,7 +208,8 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
         }
 
         if (ai == ldap_groups_count) {
-            DEBUG(2, "Group %s not present in LDAP\n", missing[i]);
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Group %s not present in LDAP\n", missing[i]);
             ret = EINVAL;
             goto done;
         }
@@ -263,7 +266,8 @@ int sdap_initgr_common_store(struct sysdb_ctx *sysdb,
                 opts->group_map[SDAP_AT_GROUP_NAME].name,
                 &ldap_grouplist);
         if (ret != EOK) {
-            DEBUG(1, "sysdb_attrs_primary_name_list failed [%d]: %s\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "sysdb_attrs_primary_name_list failed [%d]: %s\n",
                       ret, strerror(ret));
             goto done;
         }
@@ -278,7 +282,7 @@ int sdap_initgr_common_store(struct sysdb_ctx *sysdb,
 
     ret = sysdb_transaction_start(sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto done;
     }
     in_transaction = true;
@@ -291,24 +295,24 @@ int sdap_initgr_common_store(struct sysdb_ctx *sysdb,
                                          add_groups, ldap_groups,
                                          ldap_groups_count);
         if (ret != EOK) {
-            DEBUG(1, "Adding incomplete users failed\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Adding incomplete users failed\n");
             goto done;
         }
     }
 
-    DEBUG(8, "Updating memberships for %s\n", name);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", name);
     ret = sysdb_update_members(domain, name, type,
                                (const char *const *) add_groups,
                                (const char *const *) del_groups);
     if (ret != EOK) {
-        DEBUG(1, "Membership update failed [%d]: %s\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n",
                   ret, strerror(ret));
         goto done;
     }
 
     ret = sysdb_transaction_commit(sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto done;
     }
     in_transaction = false;
@@ -318,7 +322,7 @@ done:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     talloc_zfree(tmp_ctx);
@@ -589,7 +593,8 @@ sdap_nested_groups_store(struct sysdb_ctx *sysdb,
                                             opts->group_map[SDAP_AT_GROUP_NAME].name,
                                             &groupnamelist);
         if (ret != EOK) {
-            DEBUG(3, "sysdb_attrs_primary_name_list failed [%d]: %s\n",
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "sysdb_attrs_primary_name_list failed [%d]: %s\n",
                     ret, strerror(ret));
             goto done;
         }
@@ -597,7 +602,7 @@ sdap_nested_groups_store(struct sysdb_ctx *sysdb,
 
     ret = sysdb_transaction_start(sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto done;
     }
     in_transaction = true;
@@ -605,14 +610,14 @@ sdap_nested_groups_store(struct sysdb_ctx *sysdb,
     ret = sdap_add_incomplete_groups(sysdb, domain, opts, groupnamelist,
                                      groups, count);
     if (ret != EOK) {
-        DEBUG(6, "Could not add incomplete groups [%d]: %s\n",
+        DEBUG(SSSDBG_TRACE_FUNC, "Could not add incomplete groups [%d]: %s\n",
                    ret, strerror(ret));
         goto done;
     }
 
     ret = sysdb_transaction_commit(sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto done;
     }
     in_transaction = false;
@@ -622,7 +627,7 @@ done:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
 
@@ -751,7 +756,7 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
 
     ret = sysdb_attrs_get_el(state->user, SYSDB_MEMBEROF, &state->memberof);
     if (ret || !state->memberof || state->memberof->num_values == 0) {
-        DEBUG(4, "User entry lacks original memberof ?\n");
+        DEBUG(SSSDBG_CONF_SETTINGS, "User entry lacks original memberof ?\n");
         /* We can't find any groups for this user, so we'll
          * have to assume there aren't any. Just return
          * success here.
@@ -1003,7 +1008,7 @@ static void sdap_initgr_nested_store(struct tevent_req *req)
 
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto fail;
     }
     in_transaction = true;
@@ -1011,7 +1016,7 @@ static void sdap_initgr_nested_store(struct tevent_req *req)
     /* save the groups if they are not already */
     ret = sdap_initgr_store_groups(state);
     if (ret != EOK) {
-        DEBUG(3, "Could not save groups [%d]: %s\n",
+        DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n",
                   ret, strerror(ret));
         goto fail;
     }
@@ -1019,7 +1024,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req)
     /* save the group memberships */
     ret = sdap_initgr_store_group_memberships(state);
     if (ret != EOK) {
-        DEBUG(3, "Could not save group memberships [%d]: %s\n",
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not save group memberships [%d]: %s\n",
                   ret, strerror(ret));
         goto fail;
     }
@@ -1027,14 +1033,15 @@ static void sdap_initgr_nested_store(struct tevent_req *req)
     /* save the user memberships */
     ret = sdap_initgr_store_user_memberships(state);
     if (ret != EOK) {
-        DEBUG(3, "Could not save user memberships [%d]: %s\n",
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not save user memberships [%d]: %s\n",
                   ret, strerror(ret));
         goto fail;
     }
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto fail;
     }
     in_transaction = false;
@@ -1046,7 +1053,7 @@ fail:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     tevent_req_error(req, ret);
@@ -1102,7 +1109,8 @@ sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state)
                                                      state->groups_cur,
                                                      &miter);
         if (ret) {
-            DEBUG(3, "Could not compute memberships for group %d [%d]: %s\n",
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Could not compute memberships for group %d [%d]: %s\n",
                       i, ret, strerror(ret));
             goto done;
         }
@@ -1112,7 +1120,7 @@ sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state)
 
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto done;
     }
     in_transaction = true;
@@ -1123,14 +1131,14 @@ sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state)
                                    (const char *const *) miter->add,
                                    (const char *const *) miter->del);
         if (ret != EOK) {
-            DEBUG(3, "Failed to update memberships\n");
+            DEBUG(SSSDBG_MINOR_FAILURE, "Failed to update memberships\n");
             goto done;
         }
     }
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto done;
     }
     in_transaction = false;
@@ -1140,7 +1148,7 @@ done:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     talloc_free(tmp_ctx);
@@ -1175,7 +1183,7 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
     /* Get direct LDAP parents */
     ret = sysdb_attrs_get_string(state->user, SYSDB_ORIG_DN, &orig_dn);
     if (ret != EOK) {
-        DEBUG(2, "The user has no original DN\n");
+        DEBUG(SSSDBG_OP_FAILURE, "The user has no original DN\n");
         goto done;
     }
 
@@ -1190,7 +1198,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
     for (i=0; i < state->groups_cur ; i++) {
         ret = sysdb_attrs_get_el(state->groups[i], SYSDB_MEMBER, &el);
         if (ret) {
-            DEBUG(3, "A group with no members during initgroups?\n");
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "A group with no members during initgroups?\n");
             goto done;
         }
 
@@ -1204,7 +1213,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
         }
     }
 
-    DEBUG(7, "The user %s is a direct member of %d LDAP groups\n",
+    DEBUG(SSSDBG_TRACE_LIBS,
+          "The user %s is a direct member of %d LDAP groups\n",
               state->username, nparents);
 
     if (nparents == 0) {
@@ -1216,7 +1226,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
                                             state->opts->group_map[SDAP_AT_GROUP_NAME].name,
                                             &ldap_parent_name_list);
         if (ret != EOK) {
-            DEBUG(1, "sysdb_attrs_primary_name_list failed [%d]: %s\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "sysdb_attrs_primary_name_list failed [%d]: %s\n",
                       ret, strerror(ret));
             goto done;
         }
@@ -1225,7 +1236,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
     ret = sysdb_get_direct_parents(tmp_ctx, state->dom, SYSDB_MEMBER_USER,
                                    state->username, &sysdb_parent_name_list);
     if (ret) {
-        DEBUG(1, "Could not get direct sysdb parents for %s: %d [%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Could not get direct sysdb parents for %s: %d [%s]\n",
                    state->username, ret, strerror(ret));
         goto done;
     }
@@ -1239,17 +1251,19 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
 
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto done;
     }
     in_transaction = true;
 
-    DEBUG(8, "Updating memberships for %s\n", state->username);
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Updating memberships for %s\n", state->username);
     ret = sysdb_update_members(state->dom, state->username, SYSDB_MEMBER_USER,
                                (const char *const *) add_groups,
                                (const char *const *) del_groups);
     if (ret != EOK) {
-        DEBUG(1, "Could not update sysdb memberships for %s: %d [%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Could not update sysdb memberships for %s: %d [%s]\n",
                   state->username, ret, strerror(ret));
         goto done;
     }
@@ -1265,7 +1279,7 @@ done:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     talloc_zfree(tmp_ctx);
@@ -1309,7 +1323,8 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
     ret = sysdb_get_direct_parents(tmp_ctx, dom, SYSDB_MEMBER_GROUP,
                                    group_name, &sysdb_parents_names_list);
     if (ret) {
-        DEBUG(1, "Could not get direct sysdb parents for %s: %d [%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Could not get direct sysdb parents for %s: %d [%s]\n",
                    group_name, ret, strerror(ret));
         goto done;
     }
@@ -1322,11 +1337,12 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
                                                 &ldap_parentlist,
                                                 &parents_count);
     if (ret != EOK) {
-        DEBUG(1, "Cannot get parent groups for %s [%d]: %s\n",
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get parent groups for %s [%d]: %s\n",
                   group_name, ret, strerror(ret));
         goto done;
     }
-    DEBUG(7, "The group %s is a direct member of %d LDAP groups\n",
+    DEBUG(SSSDBG_TRACE_LIBS,
+          "The group %s is a direct member of %d LDAP groups\n",
                group_name, parents_count);
 
     if (parents_count > 0) {
@@ -1336,7 +1352,8 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
                                             opts->group_map[SDAP_AT_GROUP_NAME].name,
                                             &ldap_parent_names_list);
         if (ret != EOK) {
-            DEBUG(1, "sysdb_attrs_primary_name_list failed [%d]: %s\n",
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "sysdb_attrs_primary_name_list failed [%d]: %s\n",
                         ret, strerror(ret));
             goto done;
         }
@@ -1345,7 +1362,8 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
     ret = build_membership_diff(tmp_ctx, group_name, ldap_parent_names_list,
                                 sysdb_parents_names_list, &mdiff);
     if (ret != EOK) {
-        DEBUG(3, "Could not build membership diff for %s [%d]: %s\n",
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not build membership diff for %s [%d]: %s\n",
                   group_name, ret, strerror(ret));
         goto done;
     }
@@ -1386,10 +1404,11 @@ static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx,
 
     ret = sysdb_attrs_get_string(attrs, SYSDB_ORIG_DN, &orig_dn);
     if (ret != EOK) {
-        DEBUG(3, "Missing originalDN\n");
+        DEBUG(SSSDBG_MINOR_FAILURE, "Missing originalDN\n");
         goto done;
     }
-    DEBUG(9, "Looking up direct parents for group [%s]\n", orig_dn);
+    DEBUG(SSSDBG_TRACE_ALL,
+          "Looking up direct parents for group [%s]\n", orig_dn);
 
     /* FIXME - Filter only parents from full set to avoid searching
      * through all members of huge groups. That requires asking for memberOf
@@ -1400,7 +1419,8 @@ static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx,
     for (i=0; i < ngroups; i++) {
         ret = sysdb_attrs_get_el(groups[i], SYSDB_MEMBER, &member);
         if (ret) {
-            DEBUG(7, "A group with no members during initgroups?\n");
+            DEBUG(SSSDBG_TRACE_LIBS,
+                  "A group with no members during initgroups?\n");
             continue;
         }
 
@@ -1415,7 +1435,8 @@ static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx,
     }
     direct_groups[ndirect] = NULL;
 
-    DEBUG(9, "The group [%s] has %d direct parents\n", orig_dn, ndirect);
+    DEBUG(SSSDBG_TRACE_ALL,
+          "The group [%s] has %d direct parents\n", orig_dn, ndirect);
 
     *_direct_parents = talloc_steal(mem_ctx, direct_groups);
     *_ndirect = ndirect;
@@ -1736,7 +1757,7 @@ static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq)
 
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto fail;
     }
     in_transaction = true;
@@ -1744,27 +1765,30 @@ static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq)
     /* save the groups if they are not cached */
     ret = save_rfc2307bis_groups(state);
     if (ret != EOK) {
-        DEBUG(3, "Could not save groups memberships [%d]", ret);
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not save groups memberships [%d]", ret);
         goto fail;
     }
 
     /* save the group membership */
     ret = save_rfc2307bis_group_memberships(state);
     if (ret != EOK) {
-        DEBUG(3, "Could not save group memberships [%d]", ret);
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not save group memberships [%d]", ret);
         goto fail;
     }
 
     /* save the user memberships */
     ret = save_rfc2307bis_user_memberships(state);
     if (ret != EOK) {
-        DEBUG(3, "Could not save user memberships [%d]", ret);
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not save user memberships [%d]", ret);
         goto fail;
     }
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto fail;
     }
     in_transaction = false;
@@ -1776,7 +1800,7 @@ fail:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     tevent_req_error(req, ret);
@@ -1837,7 +1861,7 @@ save_rfc2307bis_groups(struct sdap_initgr_rfc2307bis_state *state)
     ret = sdap_nested_groups_store(state->sysdb, state->dom, state->opts,
                                    groups, count);
     if (ret != EOK) {
-        DEBUG(3, "Could not save groups [%d]: %s\n",
+        DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n",
                   ret, strerror(ret));
         goto done;
     }
@@ -1891,7 +1915,7 @@ save_rfc2307bis_group_memberships(struct sdap_initgr_rfc2307bis_state *state)
 
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to start transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
         goto done;
     }
     in_transaction = true;
@@ -1930,14 +1954,14 @@ save_rfc2307bis_group_memberships(struct sdap_initgr_rfc2307bis_state *state)
                                   (const char *const *) add,
                                   (const char *const *) iter->del);
         if (ret != EOK) {
-            DEBUG(3, "Failed to update memberships\n");
+            DEBUG(SSSDBG_MINOR_FAILURE, "Failed to update memberships\n");
             goto done;
         }
     }
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret != EOK) {
-        DEBUG(1, "Failed to commit transaction\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
         goto done;
     }
     in_transaction = false;
@@ -1947,7 +1971,7 @@ done:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     talloc_free(tmp_ctx);
@@ -1980,7 +2004,8 @@ rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data)
     ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, SYSDB_MEMBER_GROUP,
                                    group_name, &sysdb_parents_names_list);
     if (ret) {
-        DEBUG(1, "Could not get direct sysdb parents for %s: %d [%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Could not get direct sysdb parents for %s: %d [%s]\n",
                   group_name, ret, strerror(ret));
         goto done;
     }
@@ -1998,7 +2023,8 @@ rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data)
     ret = build_membership_diff(tmp_ctx, group_name, ldap_parents_names_list,
                                 sysdb_parents_names_list, &mdiff);
     if (ret != EOK) {
-        DEBUG(3, "Could not build membership diff for %s [%d]: %s\n",
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Could not build membership diff for %s [%d]: %s\n",
                   group_name, ret, strerror(ret));
         goto done;
     }
@@ -2029,7 +2055,7 @@ errno_t save_rfc2307bis_user_memberships(
         return ENOMEM;
     }
 
-    DEBUG(7, "Save parent groups to sysdb\n");
+    DEBUG(SSSDBG_TRACE_LIBS, "Save parent groups to sysdb\n");
     ret = sysdb_transaction_start(state->sysdb);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
@@ -2040,7 +2066,8 @@ errno_t save_rfc2307bis_user_memberships(
     ret = sysdb_get_direct_parents(tmp_ctx, state->dom, SYSDB_MEMBER_USER,
                                    state->name, &sysdb_parent_name_list);
     if (ret) {
-        DEBUG(1, "Could not get direct sysdb parents for %s: %d [%s]\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Could not get direct sysdb parents for %s: %d [%s]\n",
                    state->name, ret, strerror(ret));
         goto error;
     }
@@ -2084,7 +2111,7 @@ errno_t save_rfc2307bis_user_memberships(
         goto error;
     }
 
-    DEBUG(8, "Updating memberships for %s\n", state->name);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", state->name);
     ret = sysdb_update_members(state->dom, state->name, SYSDB_MEMBER_USER,
                                (const char *const *)add_groups,
                                (const char *const *)del_groups);
@@ -2106,7 +2133,7 @@ error:
     if (in_transaction) {
         tret = sysdb_transaction_cancel(state->sysdb);
         if (tret != EOK) {
-            DEBUG(1, "Failed to cancel transaction\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
         }
     }
     talloc_free(tmp_ctx);
@@ -2536,7 +2563,7 @@ static void rfc2307bis_nested_groups_done(struct tevent_req *subreq)
     ret = rfc2307bis_nested_groups_recv(subreq);
     talloc_zfree(subreq);
     if (ret != EOK) {
-        DEBUG(6, "rfc2307bis_nested failed [%d][%s]\n",
+        DEBUG(SSSDBG_TRACE_FUNC, "rfc2307bis_nested failed [%d][%s]\n",
                   ret, strerror(ret));
         tevent_req_error(req, ret);
         return;
@@ -2610,7 +2637,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
     char *clean_name;
     bool use_id_mapping;
 
-    DEBUG(9, "Retrieving info for initgroups call\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Retrieving info for initgroups call\n");
 
     req = tevent_req_create(memctx, &state, struct sdap_get_initgr_state);
     if (!req) return NULL;
@@ -2753,7 +2780,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
     size_t dn_len;
     size_t c = 0;
 
-    DEBUG(9, "Receiving info for the user\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Receiving info for the user\n");
 
     ret = sdap_get_generic_recv(subreq, state, &count, &usr_attrs);
     talloc_zfree(subreq);
@@ -2843,7 +2870,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
     }
     in_transaction = true;
 
-    DEBUG(9, "Storing the user\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Storing the user\n");
 
     ret = sdap_save_user(state, state->opts, state->dom, state->orig_user,
                          true, NULL, 0);
@@ -2851,7 +2878,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
         goto fail;
     }
 
-    DEBUG(9, "Commit change\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Commit change\n");
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret) {
@@ -2867,7 +2894,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
         return;
     }
 
-    DEBUG(9, "Process user's groups\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Process user's groups\n");
 
     switch (state->opts->schema_type) {
     case SDAP_SCHEMA_RFC2307:
@@ -2976,7 +3003,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
     char *group_sid_str;
     struct sdap_options *opts = state->opts;
 
-    DEBUG(9, "Initgroups done\n");
+    DEBUG(SSSDBG_TRACE_ALL, "Initgroups done\n");
 
     tmp_ctx = talloc_new(NULL);
     if (!tmp_ctx) {
@@ -3015,7 +3042,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
 
     talloc_zfree(subreq);
     if (ret) {
-        DEBUG(9, "Error in initgroups: [%d][%s]\n",
+        DEBUG(SSSDBG_TRACE_ALL, "Error in initgroups: [%d][%s]\n",
                   ret, strerror(ret));
         goto fail;
     }
@@ -3079,7 +3106,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
         ret = sysdb_attrs_get_uint32_t(state->orig_user, SYSDB_GIDNUM,
                                        &primary_gid);
         if (ret != EOK) {
-            DEBUG(6, "Could not find user's primary GID\n");
+            DEBUG(SSSDBG_TRACE_FUNC, "Could not find user's primary GID\n");
             goto fail;
         }
     }
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 5e26de109..80e4f29ad 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -741,7 +741,7 @@ sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx,
     subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
     state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
     if (!state->op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto immediately;
     }
@@ -1036,7 +1036,7 @@ sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx,
     subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
     state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
     if (!state->op) {
-        DEBUG(2, "sdap_id_op_create failed\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
         ret = ENOMEM;
         goto immediately;
     }
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index d6446fc30..e50f25087 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -80,7 +80,8 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
         goto fail;
     }
     if (el->num_values == 0) {
-        DEBUG(7, "Original mod-Timestamp is not available for [%s].\n",
+        DEBUG(SSSDBG_TRACE_LIBS,
+              "Original mod-Timestamp is not available for [%s].\n",
                   name);
     } else {
         ret = sysdb_attrs_add_string(netgroup_attrs,
@@ -118,12 +119,12 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
         goto fail;
     }
 
-    DEBUG(6, "Storing info for netgroup %s\n", name);
+    DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name);
 
     ret = sdap_save_all_names(name, attrs, dom,
                               netgroup_attrs);
     if (ret != EOK) {
-        DEBUG(1, "Failed to save netgroup names\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save netgroup names\n");
         goto fail;
     }
 
@@ -148,7 +149,7 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
     return EOK;
 
 fail:
-    DEBUG(2, "Failed to save netgroup %s\n", name);
+    DEBUG(SSSDBG_OP_FAILURE, "Failed to save netgroup %s\n", name);
     return ret;
 }
 
@@ -171,14 +172,15 @@ errno_t update_dn_list(struct dn_item *dn_list, const size_t count,
         for(c = 0; c < count; c++) {
             dn = ldb_msg_find_attr_as_string(res[c], SYSDB_ORIG_DN, NULL);
             if (dn == NULL) {
-                DEBUG(1, "Missing original DN.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "Missing original DN.\n");
                 return EINVAL;
             }
             if (strcmp(dn, dn_item->dn) == 0) {
-                DEBUG(9, "Found matching entry for [%s].\n", dn_item->dn);
+                DEBUG(SSSDBG_TRACE_ALL,
+                      "Found matching entry for [%s].\n", dn_item->dn);
                 cn = ldb_msg_find_attr_as_string(res[c], SYSDB_NAME, NULL);
                 if (cn == NULL) {
-                    DEBUG(1, "Missing name.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE, "Missing name.\n");
                     return EINVAL;
                 }
                 dn_item->cn = talloc_strdup(dn_item, cn);
@@ -255,7 +257,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
                                            SYSDB_ORIG_NETGROUP_MEMBER, state,
                                            &member_list);
         if (ret != EOK) {
-            DEBUG(7, "Missing netgroup members.\n");
+            DEBUG(SSSDBG_TRACE_LIBS, "Missing netgroup members.\n");
             continue;
         }
 
@@ -263,12 +265,13 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
             if (is_dn(member_list[mc])) {
                 dn_item = talloc_zero(state, struct dn_item);
                 if (dn_item == NULL) {
-                    DEBUG(1, "talloc failed.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
                     ret = ENOMEM;
                     goto fail;
                 }
 
-                DEBUG(9, "Adding [%s] to DN list.\n", member_list[mc]);
+                DEBUG(SSSDBG_TRACE_ALL,
+                      "Adding [%s] to DN list.\n", member_list[mc]);
                 dn_item->netgroup = netgroups[c];
                 dn_item->dn = member_list[mc];
                 DLIST_ADD(state->dn_list, dn_item);
@@ -276,7 +279,8 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
                 ret = sysdb_attrs_add_string(netgroups[c], SYSDB_NETGROUP_MEMBER,
                                              member_list[mc]);
                 if (ret != EOK) {
-                    DEBUG(1, "sysdb_attrs_add_string failed.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "sysdb_attrs_add_string failed.\n");
                     goto fail;
                 }
             }
@@ -284,7 +288,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
     }
 
     if (state->dn_list == NULL) {
-        DEBUG(9, "No DNs found among netgroup members.\n");
+        DEBUG(SSSDBG_TRACE_ALL, "No DNs found among netgroup members.\n");
         tevent_req_done(req);
         tevent_req_post(req, ev);
         return req;
@@ -292,7 +296,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
 
     dn_filter = talloc_strdup(state, "(|");
     if (dn_filter == NULL) {
-        DEBUG(1, "talloc_strdup failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
         ret = ENOMEM;;
         goto fail;
     }
@@ -301,7 +305,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
             dn_filter = talloc_asprintf_append(dn_filter, "(%s=%s)",
                                                SYSDB_ORIG_DN, dn_item->dn);
             if (dn_filter == NULL) {
-                DEBUG(1, "talloc_asprintf_append failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
                 ret = ENOMEM;
                 goto fail;
             }
@@ -309,14 +313,14 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
 
     dn_filter = talloc_asprintf_append(dn_filter, ")");
     if (dn_filter == NULL) {
-        DEBUG(1, "talloc_asprintf_append failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
         ret = ENOMEM;
         goto fail;
     }
 
     sysdb_filter = talloc_asprintf(state, "(&(%s)%s)", SYSDB_NC, dn_filter);
     if (sysdb_filter == NULL) {
-        DEBUG(1, "talloc_asprintf failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -332,7 +336,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
     talloc_zfree(netgr_basedn);
     talloc_zfree(sysdb_filter);
     if (ret != EOK && ret != ENOENT) {
-        DEBUG(1, "sysdb_search_entry failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry failed.\n");
         goto fail;
     }
 
@@ -340,7 +344,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
         ret = update_dn_list(state->dn_list, sysdb_count, sysdb_res,
                              &all_resolved);
         if (ret != EOK) {
-            DEBUG(1, "update_dn_list failed.\n");
+            DEBUG(SSSDBG_CRIT_FAILURE, "update_dn_list failed.\n");
             goto fail;
         }
 
@@ -350,7 +354,8 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
                                                  SYSDB_NETGROUP_MEMBER,
                                                  dn_item->cn);
                     if (ret != EOK) {
-                        DEBUG(1, "sysdb_attrs_add_string failed.\n");
+                        DEBUG(SSSDBG_CRIT_FAILURE,
+                              "sysdb_attrs_add_string failed.\n");
                         goto fail;
                     }
             }
@@ -364,7 +369,8 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
     state->dn_idx = state->dn_list;
     ret = netgr_translate_members_ldap_step(req);
     if (ret != EOK && ret != EAGAIN) {
-        DEBUG(1, "netgr_translate_members_ldap_step failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "netgr_translate_members_ldap_step failed.\n");
         goto fail;
     }
 
@@ -407,7 +413,8 @@ static errno_t netgr_translate_members_ldap_step(struct tevent_req *req)
                                              SYSDB_NETGROUP_MEMBER,
                                              state->dn_item->cn);
                 if (ret != EOK) {
-                    DEBUG(1, "sysdb_attrs_add_string failed.\n");
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "sysdb_attrs_add_string failed.\n");
                     tevent_req_error(req, ret);
                     return ret;
                 }
@@ -427,14 +434,14 @@ static errno_t netgr_translate_members_ldap_step(struct tevent_req *req)
 
     cn_attr = talloc_array(state, const char *, 3);
     if (cn_attr == NULL) {
-        DEBUG(1, "talloc_array failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n");
         return ENOMEM;
     }
     cn_attr[0] = state->opts->netgroup_map[SDAP_AT_NETGROUP_NAME].name;
     cn_attr[1] = "objectclass";
     cn_attr[2] = NULL;
 
-    DEBUG(9, "LDAP base search for [%s].\n", state->dn_item->dn);
+    DEBUG(SSSDBG_TRACE_ALL, "LDAP base search for [%s].\n", state->dn_item->dn);
     subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
                                    state->dn_item->dn, LDAP_SCOPE_BASE, filter,
                                    cn_attr, state->opts->netgroup_map,
@@ -443,7 +450,7 @@ static errno_t netgr_translate_members_ldap_step(struct tevent_req *req)
                                                   SDAP_SEARCH_TIMEOUT),
                                    false);
     if (!subreq) {
-        DEBUG(1, "sdap_get_generic_send failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
         return ENOMEM;
     }
     talloc_steal(subreq, cn_attr);
@@ -466,24 +473,25 @@ static void netgr_translate_members_ldap_done(struct tevent_req *subreq)
     ret = sdap_get_generic_recv(subreq, state, &count, &netgroups);
     talloc_zfree(subreq);
     if (ret != EOK) {
-        DEBUG(1, "sdap_get_generic request failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic request failed.\n");
         goto fail;
     }
 
     switch (count) {
         case 0:
-            DEBUG(0, "sdap_get_generic_recv found no entry for [%s].\n",
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "sdap_get_generic_recv found no entry for [%s].\n",
                       state->dn_item->dn);
             break;
         case 1:
             ret = sysdb_attrs_get_string(netgroups[0], SYSDB_NAME, &str);
             if (ret != EOK) {
-                DEBUG(1, "sysdb_attrs_add_string failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n");
                 break;
             }
             state->dn_item->cn = talloc_strdup(state->dn_item, str);
             if (state->dn_item->cn == NULL) {
-                DEBUG(1, "talloc_strdup failed.\n");
+                DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
             }
             break;
         default:
@@ -493,7 +501,8 @@ static void netgr_translate_members_ldap_done(struct tevent_req *subreq)
     }
 
     if (state->dn_item->cn == NULL) {
-        DEBUG(1, "Failed to resolve netgroup name for DN [%s], using DN.\n",
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Failed to resolve netgroup name for DN [%s], using DN.\n",
                   state->dn_item->dn);
         state->dn_item->cn = talloc_strdup(state->dn_item, state->dn_item->dn);
     }
@@ -501,7 +510,8 @@ static void netgr_translate_members_ldap_done(struct tevent_req *subreq)
     state->dn_idx = state->dn_item->next;
     ret = netgr_translate_members_ldap_step(req);
     if (ret != EOK && ret != EAGAIN) {
-        DEBUG(1, "netgr_translate_members_ldap_step failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "netgr_translate_members_ldap_step failed.\n");
         goto fail;
     }
 
@@ -716,7 +726,7 @@ static void netgr_translate_members_done(struct tevent_req *subreq)
                                  &state->higher_timestamp,
                                  now);
         if (ret) {
-            DEBUG(2, "Failed to store netgroups.\n");
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to store netgroups.\n");
             tevent_req_error(req, ret);
             return;
         }
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 91e705c62..dd935377c 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -273,7 +273,8 @@ int sdap_save_user(TALLOC_CTX *memctx,
     }
     /* check that the uid is valid for this domain */
     if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
-            DEBUG(2, "User [%s] filtered out! (uid out of range)\n",
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "User [%s] filtered out! (uid out of range)\n",
                       user_name);
         ret = EINVAL;
         goto done;
@@ -533,9 +534,9 @@ int sdap_save_users(TALLOC_CTX *memctx,
         /* Do not fail completely on errors.
          * Just report the failure to save and go on */
         if (ret) {
-            DEBUG(2, "Failed to store user %d. Ignoring.\n", i);
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %d. Ignoring.\n", i);
         } else {
-            DEBUG(9, "User %d processed!\n", i);
+            DEBUG(SSSDBG_TRACE_ALL, "User %d processed!\n", i);
         }
 
         if (usn_value) {
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 2a0730e39..448c5af10 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -56,14 +56,14 @@ static void sdap_close_fd(int *fd)
     int ret;
 
     if (*fd == -1) {
-        DEBUG(6, "fd already closed\n");
+        DEBUG(SSSDBG_TRACE_FUNC, "fd already closed\n");
         return;
     }
 
     ret = close(*fd);
     if (ret) {
         ret = errno;
-        DEBUG(2, "Closing fd %d, return error %d (%s)\n",
+        DEBUG(SSSDBG_OP_FAILURE, "Closing fd %d, return error %d (%s)\n",
                   *fd, ret, strerror(ret));
     }
 
@@ -91,13 +91,15 @@ static errno_t sdap_fork_child(struct tevent_context *ev,
     ret = pipe(pipefd_from_child);
     if (ret == -1) {
         err = errno;
-        DEBUG(1, "pipe failed [%d][%s].\n", err, strerror(err));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "pipe failed [%d][%s].\n", err, strerror(err));
         return err;
     }
     ret = pipe(pipefd_to_child);
     if (ret == -1) {
         err = errno;
-        DEBUG(1, "pipe failed [%d][%s].\n", err, strerror(err));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "pipe failed [%d][%s].\n", err, strerror(err));
         return err;
     }
 
@@ -126,7 +128,8 @@ static errno_t sdap_fork_child(struct tevent_context *ev,
 
     } else { /* error */
         err = errno;
-        DEBUG(1, "fork failed [%d][%s].\n", err, strerror(err));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "fork failed [%d][%s].\n", err, strerror(err));
         return err;
     }
 
@@ -145,7 +148,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx,
 
     buf = talloc(mem_ctx, struct io_buffer);
     if (buf == NULL) {
-        DEBUG(1, "talloc failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
         return ENOMEM;
     }
 
@@ -164,7 +167,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx,
 
     buf->data = talloc_size(buf, buf->size);
     if (buf->data == NULL) {
-        DEBUG(1, "talloc_size failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
         talloc_free(buf);
         return ENOMEM;
     }
@@ -227,7 +230,7 @@ static int parse_child_response(TALLOC_CTX *mem_ctx,
 
     ccn = talloc_size(mem_ctx, sizeof(char) * (len + 1));
     if (ccn == NULL) {
-        DEBUG(1, "talloc_size failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
         return ENOMEM;
     }
     safealign_memcpy(ccn, buf+p, sizeof(char) * len, &p);
@@ -296,19 +299,19 @@ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx,
                                      realm_str, princ_str, keytab_name, lifetime,
                                      &buf);
     if (ret != EOK) {
-        DEBUG(1, "create_tgt_req_send_buffer failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "create_tgt_req_send_buffer failed.\n");
         goto fail;
     }
 
     ret = sdap_fork_child(state->ev, state->child);
     if (ret != EOK) {
-        DEBUG(1, "sdap_fork_child failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_fork_child failed.\n");
         goto fail;
     }
 
     ret = set_tgt_child_timeout(req, ev, timeout);
     if (ret != EOK) {
-        DEBUG(1, "activate_child_timeout_handler failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "activate_child_timeout_handler failed.\n");
         goto fail;
     }
 
@@ -394,11 +397,13 @@ int sdap_get_tgt_recv(struct tevent_req *req,
     ret = parse_child_response(mem_ctx, state->buf, state->len,
                                &res, &krberr, &ccn, &expire_time);
     if (ret != EOK) {
-        DEBUG(1, "Cannot parse child response: [%d][%s]\n", ret, strerror(ret));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Cannot parse child response: [%d][%s]\n", ret, strerror(ret));
         return ret;
     }
 
-    DEBUG(6, "Child responded: %d [%s], expired on [%ld]\n", res, ccn, (long)expire_time);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Child responded: %d [%s], expired on [%ld]\n", res, ccn, (long)expire_time);
     *result = res;
     *kerr = krberr;
     *ccname = ccn;
@@ -417,11 +422,13 @@ static void get_tgt_timeout_handler(struct tevent_context *ev,
                                             struct sdap_get_tgt_state);
     int ret;
 
-    DEBUG(9, "timeout for tgt child [%d] reached.\n", state->child->pid);
+    DEBUG(SSSDBG_TRACE_ALL,
+          "timeout for tgt child [%d] reached.\n", state->child->pid);
 
     ret = kill(state->child->pid, SIGKILL);
     if (ret == -1) {
-        DEBUG(1, "kill failed [%d][%s].\n", errno, strerror(errno));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "kill failed [%d][%s].\n", errno, strerror(errno));
     }
 
     tevent_req_error(req, ETIMEDOUT);
@@ -434,13 +441,14 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req,
     struct tevent_timer *te;
     struct timeval tv;
 
-    DEBUG(6, "Setting %d seconds timeout for tgt child\n", timeout);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "Setting %d seconds timeout for tgt child\n", timeout);
 
     tv = tevent_timeval_current_ofs(timeout, 0);
 
     te = tevent_add_timer(ev, req, tv, get_tgt_timeout_handler, req);
     if (te == NULL) {
-        DEBUG(1, "tevent_add_timer failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n");
         return ENOMEM;
     }
 
@@ -458,14 +466,15 @@ int sdap_setup_child(void)
     if (debug_to_file != 0 && ldap_child_debug_fd == -1) {
         ret = open_debug_file_ex(LDAP_CHILD_LOG_FILE, &debug_filep, false);
         if (ret != EOK) {
-            DEBUG(0, "Error setting up logging (%d) [%s]\n",
+            DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) [%s]\n",
                         ret, strerror(ret));
             return ret;
         }
 
         ldap_child_debug_fd = fileno(debug_filep);
         if (ldap_child_debug_fd == -1) {
-            DEBUG(0, "fileno failed [%d][%s]\n", errno, strerror(errno));
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "fileno failed [%d][%s]\n", errno, strerror(errno));
             ret = errno;
             return ret;
         }
diff --git a/src/providers/ldap/sdap_fd_events.c b/src/providers/ldap/sdap_fd_events.c
index fc01d78ad..cfd656ff9 100644
--- a/src/providers/ldap/sdap_fd_events.c
+++ b/src/providers/ldap/sdap_fd_events.c
@@ -39,7 +39,7 @@ int get_fd_from_ldap(LDAP *ldap, int *fd)
 
     ret = ldap_get_option(ldap, LDAP_OPT_DESC, fd);
     if (ret != LDAP_OPT_SUCCESS || *fd < 0) {
-        DEBUG(1, "Failed to get fd from ldap!!\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get fd from ldap!!\n");
         *fd = -1;
         return EIO;
     }
@@ -74,9 +74,9 @@ static int remove_connection_callback(TALLOC_CTX *mem_ctx)
 
     lret = ldap_get_option(cb_data->sh->ldap, LDAP_OPT_CONNECT_CB, conncb);
     if (lret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to remove connection callback.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove connection callback.\n");
     } else {
-        DEBUG(9, "Successfully removed connection callback.\n");
+        DEBUG(SSSDBG_TRACE_ALL, "Successfully removed connection callback.\n");
     }
     return EOK;
 }
@@ -93,27 +93,28 @@ static int sdap_ldap_connect_callback_add(LDAP *ld, Sockbuf *sb,
                                                    struct ldap_cb_data);
 
     if (cb_data == NULL) {
-        DEBUG(1, "sdap_ldap_connect_callback_add called without "
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "sdap_ldap_connect_callback_add called without "
                   "callback data.\n");
         return EINVAL;
     }
 
     ret = ber_sockbuf_ctrl(sb, LBER_SB_OPT_GET_FD, &ber_fd);
     if (ret == -1) {
-        DEBUG(1, "ber_sockbuf_ctrl failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_ctrl failed.\n");
         return EINVAL;
     }
 
     if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
         char *uri = ldap_url_desc2str(srv);
-        DEBUG(7, "New LDAP connection to [%s] with fd [%d].\n",
+        DEBUG(SSSDBG_TRACE_LIBS, "New LDAP connection to [%s] with fd [%d].\n",
                   uri, ber_fd);
         free(uri);
     }
 
     fd_event_item = talloc_zero(cb_data, struct fd_event_item);
     if (fd_event_item == NULL) {
-        DEBUG(1, "talloc failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
         return ENOMEM;
     }
 
@@ -121,7 +122,7 @@ static int sdap_ldap_connect_callback_add(LDAP *ld, Sockbuf *sb,
                                        TEVENT_FD_READ, sdap_ldap_result,
                                        cb_data->sh);
     if (fd_event_item->fde == NULL) {
-        DEBUG(1, "tevent_add_fd failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd failed.\n");
         talloc_free(fd_event_item);
         return ENOMEM;
     }
@@ -147,10 +148,10 @@ static void sdap_ldap_connect_callback_del(LDAP *ld, Sockbuf *sb,
 
     ret = ber_sockbuf_ctrl(sb, LBER_SB_OPT_GET_FD, &ber_fd);
     if (ret == -1) {
-        DEBUG(1, "ber_sockbuf_ctrl failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_ctrl failed.\n");
         return;
     }
-    DEBUG(9, "Closing LDAP connection with fd [%d].\n", ber_fd);
+    DEBUG(SSSDBG_TRACE_ALL, "Closing LDAP connection with fd [%d].\n", ber_fd);
 
     DLIST_FOR_EACH(fd_event_item, cb_data->fd_list) {
         if (fd_event_item->fd == ber_fd) {
@@ -158,7 +159,7 @@ static void sdap_ldap_connect_callback_del(LDAP *ld, Sockbuf *sb,
         }
     }
     if (fd_event_item == NULL) {
-        DEBUG(1, "No event for fd [%d] found.\n", ber_fd);
+        DEBUG(SSSDBG_CRIT_FAILURE, "No event for fd [%d] found.\n", ber_fd);
         return;
     }
 
@@ -177,14 +178,15 @@ static int sdap_install_ldap_callbacks(struct sdap_handle *sh,
     int ret;
 
     if (sh->sdap_fd_events) {
-        DEBUG(1, "sdap_install_ldap_callbacks is called with already "
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "sdap_install_ldap_callbacks is called with already "
                   "initialized sdap_fd_events.\n");
         return EINVAL;
     }
 
     sh->sdap_fd_events = talloc_zero(sh, struct sdap_fd_events);
     if (!sh->sdap_fd_events) {
-        DEBUG(1, "talloc_zero failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
         return ENOMEM;
     }
 
@@ -199,7 +201,8 @@ static int sdap_install_ldap_callbacks(struct sdap_handle *sh,
         return ENOMEM;
     }
 
-    DEBUG(8, "Trace: sh[%p], connected[%d], ops[%p], fde[%p], ldap[%p]\n",
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Trace: sh[%p], connected[%d], ops[%p], fde[%p], ldap[%p]\n",
               sh, (int)sh->connected, sh->ops, sh->sdap_fd_events->fde,
               sh->ldap);
 
@@ -218,7 +221,7 @@ errno_t setup_ldap_connection_callbacks(struct sdap_handle *sh,
 
     sh->sdap_fd_events = talloc_zero(sh, struct sdap_fd_events);
     if (sh->sdap_fd_events == NULL) {
-        DEBUG(1, "talloc_zero failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -226,14 +229,14 @@ errno_t setup_ldap_connection_callbacks(struct sdap_handle *sh,
     sh->sdap_fd_events->conncb = talloc_zero(sh->sdap_fd_events,
                                              struct ldap_conncb);
     if (sh->sdap_fd_events->conncb == NULL) {
-        DEBUG(1, "talloc_zero failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
         ret = ENOMEM;
         goto fail;
     }
 
     cb_data = talloc_zero(sh->sdap_fd_events->conncb, struct ldap_cb_data);
     if (cb_data == NULL) {
-        DEBUG(1, "talloc_zero failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -247,7 +250,7 @@ errno_t setup_ldap_connection_callbacks(struct sdap_handle *sh,
     ret = ldap_set_option(sh->ldap, LDAP_OPT_CONNECT_CB,
                           sh->sdap_fd_events->conncb);
     if (ret != LDAP_OPT_SUCCESS) {
-        DEBUG(1, "Failed to set connection callback\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set connection callback\n");
         ret = EFAULT;
         goto fail;
     }
@@ -261,7 +264,7 @@ fail:
     talloc_zfree(sh->sdap_fd_events);
     return ret;
 #else
-    DEBUG(9, "LDAP connection callbacks are not supported.\n");
+    DEBUG(SSSDBG_TRACE_ALL, "LDAP connection callbacks are not supported.\n");
     return EOK;
 #endif
 }
@@ -288,13 +291,13 @@ errno_t sdap_call_conn_cb(const char *uri,int fd, struct sdap_handle *sh)
 
     sb = ber_sockbuf_alloc();
     if (sb == NULL) {
-        DEBUG(1, "ber_sockbuf_alloc failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_alloc failed.\n");
         return ENOMEM;
     }
 
     ret = ber_sockbuf_ctrl(sb, LBER_SB_OPT_SET_FD, &fd);
     if (ret != 1) {
-        DEBUG(1, "ber_sockbuf_ctrl failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_ctrl failed.\n");
         return EFAULT;
     }
 
@@ -314,7 +317,7 @@ errno_t sdap_call_conn_cb(const char *uri,int fd, struct sdap_handle *sh)
     ber_sockbuf_free(sb);
     return ret;
 #else
-    DEBUG(9, "LDAP connection callbacks are not supported.\n");
+    DEBUG(SSSDBG_TRACE_ALL, "LDAP connection callbacks are not supported.\n");
     return EOK;
 #endif
 }
diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c
index 1e03d7ac4..508bbd2ad 100644
--- a/src/providers/ldap/sdap_id_op.c
+++ b/src/providers/ldap/sdap_id_op.c
@@ -109,7 +109,8 @@ int sdap_id_conn_cache_create(TALLOC_CTX *memctx,
     int ret;
     struct sdap_id_conn_cache *conn_cache = talloc_zero(memctx, struct sdap_id_conn_cache);
     if (!conn_cache) {
-        DEBUG(1, "talloc_zero(struct sdap_id_conn_cache) failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "talloc_zero(struct sdap_id_conn_cache) failed.\n");
         ret = ENOMEM;
         goto fail;
     }
@@ -120,7 +121,7 @@ int sdap_id_conn_cache_create(TALLOC_CTX *memctx,
                             sdap_id_conn_cache_be_offline_cb, conn_cache,
                             NULL);
     if (ret != EOK) {
-        DEBUG(1, "be_add_offline_cb failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "be_add_offline_cb failed.\n");
         goto fail;
     }
 
@@ -179,7 +180,7 @@ static void sdap_id_release_conn_data(struct sdap_id_conn_data *conn_data)
         return;
     }
 
-    DEBUG(9, "releasing unused connection\n");
+    DEBUG(SSSDBG_TRACE_ALL, "releasing unused connection\n");
 
     DLIST_REMOVE(conn_cache->connections, conn_data);
     talloc_zfree(conn_data);
@@ -277,7 +278,8 @@ static void sdap_id_conn_data_expire_handler(struct tevent_context *ev,
                                                           struct sdap_id_conn_data);
     struct sdap_id_conn_cache *conn_cache = conn_data->conn_cache;
 
-    DEBUG(3, "connection is about to expire, releasing it\n");
+    DEBUG(SSSDBG_MINOR_FAILURE,
+          "connection is about to expire, releasing it\n");
 
     if (conn_cache->cached_connection == conn_data) {
         conn_cache->cached_connection = NULL;
@@ -304,7 +306,7 @@ struct sdap_id_op *sdap_id_op_create(TALLOC_CTX *memctx, struct sdap_id_conn_cac
 static void sdap_id_op_hook_conn_data(struct sdap_id_op *op, struct sdap_id_conn_data *conn_data)
 {
     if (!op) {
-        DEBUG(0, "NULL op passed!!!\n");
+        DEBUG(SSSDBG_FATAL_FAILURE, "NULL op passed!!!\n");
         return;
     }
 
@@ -334,7 +336,7 @@ static int sdap_id_op_destroy(void *pvt)
     struct sdap_id_op *op = talloc_get_type(pvt, struct sdap_id_op);
 
     if (op->conn_data) {
-        DEBUG(9, "releasing operation connection\n");
+        DEBUG(SSSDBG_TRACE_ALL, "releasing operation connection\n");
         sdap_id_op_hook_conn_data(op, NULL);
     }
 
@@ -392,14 +394,15 @@ struct tevent_req *sdap_id_op_connect_send(struct sdap_id_op *op,
     int ret = EOK;
 
     if (!memctx) {
-        DEBUG(1, "Bug: no memory context passed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "Bug: no memory context passed.\n");
         ret = EINVAL;
         goto done;
     }
 
     if (op->connect_req) {
         /* Connection already in progress, invalid operation */
-        DEBUG(1, "Bug: connection request is already running or completed and leaked.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Bug: connection request is already running or completed and leaked.\n");
         ret = EINVAL;
         goto done;
     }
@@ -420,7 +423,7 @@ struct tevent_req *sdap_id_op_connect_send(struct sdap_id_op *op,
     if (op->conn_data) {
         /* If the operation is already connected,
          * reuse existing connection regardless of its status */
-        DEBUG(9, "reusing operation connection\n");
+        DEBUG(SSSDBG_TRACE_ALL, "reusing operation connection\n");
         ret = EOK;
         goto done;
     }
@@ -462,23 +465,23 @@ static int sdap_id_op_connect_step(struct tevent_req *req)
     conn_data = conn_cache->cached_connection;
     if (conn_data) {
         if (conn_data->connect_req) {
-            DEBUG(9, "waiting for connection to complete\n");
+            DEBUG(SSSDBG_TRACE_ALL, "waiting for connection to complete\n");
             sdap_id_op_hook_conn_data(op, conn_data);
             goto done;
         }
 
         if (sdap_can_reuse_connection(conn_data)) {
-            DEBUG(9, "reusing cached connection\n");
+            DEBUG(SSSDBG_TRACE_ALL, "reusing cached connection\n");
             sdap_id_op_hook_conn_data(op, conn_data);
             goto done;
         }
 
-        DEBUG(9, "releasing expired cached connection\n");
+        DEBUG(SSSDBG_TRACE_ALL, "releasing expired cached connection\n");
         conn_cache->cached_connection = NULL;
         sdap_id_release_conn_data(conn_data);
     }
 
-    DEBUG(9, "beginning to connect\n");
+    DEBUG(SSSDBG_TRACE_ALL, "beginning to connect\n");
 
     conn_data = talloc_zero(conn_cache, struct sdap_id_conn_data);
     if (!conn_data) {
@@ -544,11 +547,13 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
     conn_data->notify_lock++;
 
     if (ret == ENOTSUP) {
-        DEBUG(0, "Authentication mechanism not Supported by server\n");
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Authentication mechanism not Supported by server\n");
     }
 
     if (ret == EOK && (!conn_data->sh || !conn_data->sh->connected)) {
-        DEBUG(0, "sdap_cli_connect_recv returned bogus connection\n");
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "sdap_cli_connect_recv returned bogus connection\n");
         ret = EFAULT;
     }
 
@@ -570,12 +575,13 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
     if (ret == EOK) {
         current_srv_opts = conn_cache->id_conn->id_ctx->srv_opts;
         if (current_srv_opts) {
-            DEBUG(8, "Old USN: %lu, New USN: %lu\n", current_srv_opts->last_usn, srv_opts->last_usn);
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "Old USN: %lu, New USN: %lu\n", current_srv_opts->last_usn, srv_opts->last_usn);
 
             if (strcmp(srv_opts->server_id, current_srv_opts->server_id) == 0 &&
                 srv_opts->supports_usn &&
                 current_srv_opts->last_usn > srv_opts->last_usn) {
-                DEBUG(5, "Server was probably re-initialized\n");
+                DEBUG(SSSDBG_FUNC_DATA, "Server was probably re-initialized\n");
 
                 current_srv_opts->max_user_value = 0;
                 current_srv_opts->max_group_value = 0;
@@ -616,7 +622,8 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
         struct sdap_id_op *op;
 
         if (ret == EOK && !conn_data->sh->connected) {
-            DEBUG(9, "connection was broken after %d notifies\n", notify_count);
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "connection was broken after %d notifies\n", notify_count);
         }
 
         DLIST_FOR_EACH(op, conn_data->ops) {
@@ -646,7 +653,8 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
                 if (be_is_offline(conn_cache->id_conn->id_ctx->be)) {
                     /* be is offline, no retry possible */
                     if (ret == EOK) {
-                        DEBUG(9, "skipping automatic retry on op #%d as be is offline\n", notify_count);
+                        DEBUG(SSSDBG_TRACE_ALL,
+                              "skipping automatic retry on op #%d as be is offline\n", notify_count);
                         ret = EIO;
                     }
 
@@ -654,10 +662,12 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
                     is_offline = true;
                 } else {
                     if (ret == EOK) {
-                        DEBUG(9, "attempting automatic retry on op #%d\n", notify_count);
+                        DEBUG(SSSDBG_TRACE_ALL,
+                              "attempting automatic retry on op #%d\n", notify_count);
                         retry = true;
                     } else if (sdap_id_op_can_reconnect(op)) {
-                        DEBUG(9, "attempting failover retry on op #%d\n", notify_count);
+                        DEBUG(SSSDBG_TRACE_ALL,
+                              "attempting failover retry on op #%d\n", notify_count);
                         op->reconnect_retry_count++;
                         retry = true;
                     }
@@ -676,13 +686,15 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
         }
 
         if (ret == EOK) {
-            DEBUG(9, "notify connected to op #%d\n", notify_count);
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "notify connected to op #%d\n", notify_count);
             sdap_id_op_connect_req_complete(op, DP_ERR_OK, ret);
         } else if (is_offline) {
-            DEBUG(9, "notify offline to op #%d\n", notify_count);
+            DEBUG(SSSDBG_TRACE_ALL, "notify offline to op #%d\n", notify_count);
             sdap_id_op_connect_req_complete(op, DP_ERR_OFFLINE, EAGAIN);
         } else {
-            DEBUG(9, "notify error to op #%d: %d [%s]\n", notify_count, ret, strerror(ret));
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "notify error to op #%d: %d [%s]\n", notify_count, ret, strerror(ret));
             sdap_id_op_connect_req_complete(op, DP_ERR_FATAL, ret);
         }
     }
@@ -695,7 +707,8 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq)
     if ((ret == EOK) &&
         conn_data->sh->connected &&
         !be_is_offline(conn_cache->id_conn->id_ctx->be)) {
-        DEBUG(9, "caching successful connection after %d notifies\n", notify_count);
+        DEBUG(SSSDBG_TRACE_ALL,
+              "caching successful connection after %d notifies\n", notify_count);
         conn_cache->cached_connection = conn_data;
 
         /* Run any post-connection routines */
@@ -812,7 +825,8 @@ int sdap_id_op_done(struct sdap_id_op *op, int retval, int *dp_err_out)
         /* do not reuse failed connection */
         op->conn_cache->cached_connection = NULL;
 
-        DEBUG(5, "communication error on cached connection, moving to next server\n");
+        DEBUG(SSSDBG_FUNC_DATA,
+              "communication error on cached connection, moving to next server\n");
         be_fo_try_next_server(op->conn_cache->id_conn->id_ctx->be,
                               op->conn_cache->id_conn->service->name);
     }
@@ -824,13 +838,14 @@ int sdap_id_op_done(struct sdap_id_op *op, int retval, int *dp_err_out)
         /* if backend is already offline, just report offline, do not duplicate errors */
         dp_err = DP_ERR_OFFLINE;
         retval = EAGAIN;
-        DEBUG(9, "falling back to offline data...\n");
+        DEBUG(SSSDBG_TRACE_ALL, "falling back to offline data...\n");
     } else if (communication_error) {
         /* communication error, can try to reconnect */
 
         if (!sdap_id_op_can_reconnect(op)) {
             dp_err = DP_ERR_FATAL;
-            DEBUG(9, "too many communication failures, giving up...\n");
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "too many communication failures, giving up...\n");
         } else {
             dp_err = DP_ERR_OK;
             retval = EAGAIN;
@@ -842,14 +857,15 @@ int sdap_id_op_done(struct sdap_id_op *op, int retval, int *dp_err_out)
     if (dp_err == DP_ERR_OK && retval != EOK) {
         /* reconnect retry */
         op->reconnect_retry_count++;
-        DEBUG(9, "advising for connection retry #%i\n", op->reconnect_retry_count);
+        DEBUG(SSSDBG_TRACE_ALL,
+              "advising for connection retry #%i\n", op->reconnect_retry_count);
     } else {
         /* end of request */
         op->reconnect_retry_count = 0;
     }
 
     if (current_conn) {
-        DEBUG(9, "releasing operation connection\n");
+        DEBUG(SSSDBG_TRACE_ALL, "releasing operation connection\n");
         sdap_id_op_hook_conn_data(op, NULL);
     }