RFC 2251 LDAP Result Codes
This article contains the following topics:
This article contains the following topics:
LDAP Return Codes
LDAP has a set of operation result codes that may be generated by the LDAP server in response to various LDAP requests. These codes indicate the status of the protocol operation and are categorized by server or client return code categories.
LDAP Server Return Codes
The following table lists the server return codes:
Indicates the requested client operation completed successfully.
Indicates an internal error occurred. The server is unable to respond with a more specific error and is also unable to properly respond to a request. It does not indicate that the client has sent an erroneous message.
Indicates that the server has received an invalid or malformed request from the client.
Indicates that the operation's time limit specified by either the client or the server has been exceeded. On search operations, incomplete results are returned.
Indicates that in a search operation, the size limit specified by the client or the server has been exceeded. Incomplete results are returned.
Does not indicate an error condition. Indicates that the results of a compare operation are false.
Does not indicate an error condition. Indicates that the results of a compare operation are true.
Indicates that during a bind operation the client requested an authentication method not supported by the LDAP server.
Indicates one of the following:
In bind requests, the LDAP server accepts only strong authentication.
In a client request, the client requested an operation, such as delete, that requires strong authentication.
In an unsolicited notice of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised.
Does not indicate an error condition. In LDAPv3, indicates that the server does not hold the target entry of the request, but that the servers in the referral field may.
Indicates that an LDAP server limit set by an administrative authority has been exceeded.
Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type.
Indicates that the session is not protected by a protocol, such as Transport Layer Security (TLS), which provides session confidentiality.
Does not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL mechanism to continue the process.
Indicates that the attribute specified in the modify or compare operation does not exist in the entry.
Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema.
Indicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax.
Indicates that the attribute value specified in a modify, add, or modify DN operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary).
Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute.
Indicates that the attribute value specified in an add, compare, or modify operation is an unrecognized or invalid syntax for the attribute.
Indicates that the target object cannot be found. This code is not returned on the following operations:
Search operations that find the search base but cannot find any entries that match the search filter.
Indicates that an error occurred when an alias was dereferenced.
Indicates that the syntax of the DN is incorrect. However, if the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns the following:
Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.)
Indicates that during a search operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed.
Indicates that during a bind operation, the client is attempting to use an authentication method that the client cannot use correctly. For example, either of the following causes this error:
The client returns simple credentials when strong credentials are required.
The client returns a DN and a password for a simple bind when the entry does not have a password defined.
Indicates that during a bind operation, one of the following occurred:
The client passed either an incorrect DN or password.
The password is incorrect because it has expired; intruder detection has locked the account, or some other similar reason.
Indicates that the caller does not have sufficient rights to perform the requested operation.
Indicates that the LDAP server is too busy to process the client request at this time, but if the client waits and resubmits the request, the server may be able to process it then.
Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down.
Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
The add entry request violates the server's structure rules.
The modify attribute request specifies attributes that users cannot modify.
Password restrictions prevent the action.
Connection restrictions prevent the action.
Indicates that the client discovered an alias or referral loop, and is thus unable to complete this request.
Indicates that the add or modify DN operation violates the schema's structure rules. For example:
The request places the entry subordinate to an alias.
The request places the entry subordinate to a container that is forbidden by the containment rules.
The RDN for the entry uses a forbidden attribute type.
Indicates that the add, modify, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error:
The add or modify operation tries to add an entry without a value for a required attribute.
The add or modify operation tries to add an entry with a value for an attribute which the class definition does not contain.
The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute, as required.
Indicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error:
The client requests a delete operation on a parent entry.
The client request a modify DN operation on a parent entry.
Indicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name.
Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry with the name of an entry that already exists.
Indicates that the modify operation attempted to modify the structure rules of an object class.
Reserved for CLDAP.
Indicates that the modify DN operation moves the entry from one LDAP server to another and thus requires more than one LDAP server.
Indicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes.
LDAP Client Return Codes
The following table lists the client return codes:
Indicates that the LDAP libraries cannot establish an initial connection with the LDAP server. Either the LDAP server is down, or the specified host name or port number is incorrect.
Indicates that the LDAP client has an error. This is usually a failed dynamic memory allocation error.
Indicates that the LDAP client encountered errors when encoding an LDAP request intended for the LDAP server.
Indicates that the LDAP client encountered errors when decoding an LDAP response from the LDAP server.
Indicates that the time limit of the LDAP client was exceeded while waiting for a result.
Indicates that the ldap_bind or ldap_bind_s function was called with an unknown authentication method.
Indicates that the ldap_search function was called with an invalid search filter.
Indicates that the user cancelled the LDAP operation.
Indicates that an LDAP function was called with an invalid parameter value (for example, the ID parameter is NULL).
Indicates that a dynamic memory allocation function failed when calling an LDAP function.
Indicates that the LDAP client has lost either its connection or cannot establish a connection to the LDAP server.
Indicates that the client does not support the requested functionality. For example, if the LDAP client is established as an LDAPv2 client, the libraries set this error code when the client requests LDAPv3 functionality.
Indicates that the client requested a control that the libraries cannot find in the list of supported controls sent by the LDAP server.
Indicates that the LDAP server sent no results. When the ldap_parse_result function is called, no result code is included in the server's response.
Indicates that more results are chained in the result message. The libraries set this code when the call to the ldap_parse_result function reveals that additional result codes are available.
Indicates the LDAP libraries detected a loop. Usually, this happens when following referrals.
Indicates that the referral exceeds the hop limit. The hop limit determines how many servers the client can hop through to retrieve data. For example, suppose the following conditions:
The hop limit is two.
The referral is to server D which can be contacted only through server B (1 hop) which contacts server C (2 hops) which contacts server D (3 hops)
With these conditions, the hop limit is exceeded and the LDAP libraries set this code.
LDAP-Associated RFC Standards
The following table describes the LDAP-associated RFC standards available for your use:
The COSINE and Internet X.500 Schema
Replication Requirements to provide an Internet Directory using X.500
Replication and Distributed Operations extensions to provide an Internet Directory using X.500
Executive Introduction to Directory Services Using the X.500 Protocol
Technical Overview of Directory Services Using the X.500 Protocol
A Strategic Plan for Deploying an Internet X.500 Directory Service
The X.500 String Representation of Standard Attribute Syntaxes
A String Representation of LDAP Search Filters
Naming and Structuring Guidelines for X.500 Directory Pilots
Lightweight Directory Access Protocol v2
The String Representation of Standard Attribute Syntaxes
A String Representation of Distinguished Names
Schema Publishing in X.500 Directory
The LDAP Application Program Interface
An LDAP URL Format
A String Representation of LDAP Search Filters
UTF -8, a transformation format of Unicode and ISO 10646
Use of an X.500/LDAP Directory to support MIXER address mapping
A Common Schema for the Internet White Pages Service
Using Domains in LDAP/X.500 Distinguished Names
Lightweight Directory Access Protocol (v3)
Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions
Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
The String Representation of LDAP Search Filters
The LDAP URL Format
A Summary of the X.500(96) User Schema for use with LDAPv3
UTF-8, a transformation format of ISO 10646
Representing Tables and Subtrees in the X.500 Directory
Representing the O/R Address hierarchy in the X.500 Directory Information Tree
An Approach for Using LDAP as a Network Information Service
Naming Plan for Internet Directory-Enabled Applications
Content Feature Schema for Internet Fax
Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2
Internet X.509 Public Key Infrastructure LDAPv2 Schema
Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services
Use of Language Codes in LDAP
An LDAP Control and Schema for Holding Operation Signatures
RFC 2657 - LDAPv2 Client vs. the Index Mesh
LDAP Control Extension for Simple Paged Results Manipulation
Schema for Representing Java(tm) Objects in an LDAP Directory
Schema for Representing CORBA Object References in an LDAP Directory
Calendar Attributes for vCard and LDAP
Definition of the inetOrgPerson LDAP Object Class
Access Control Requirements for LDAP
Authentication Methods for LDAP
Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
The LDAP Data Interchange Format (LDIF) - Technical Specification
Content Feature Schema for Internet Fax (V2)
LDAP Control Extension for Server Side Sorting of Search Results
Storing Vendor Information in the LDAP root DSE
LDAP Password Modify Extended Operation
LDAP Authentication Password Schema
Named Subordinate References in Lightweight Directory Access Protocol Directories
Lightweight Directory Access Protocol (v3): Technical Specification
Lightweight Directory Access Protocol (version 3) Replication Requirements