summaryrefslogtreecommitdiffstats
path: root/doc/guide/admin/appendix-ldap-result-codes.sdf
blob: d54d6f5f51718e6d92f465acff195b0f3566d017 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
# $OpenLDAP$
# Copyright 2007-2022 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.

H1:  LDAP Result Codes

For the purposes of this guide, we have incorporated the standard LDAP result 
codes from {{Appendix A.  LDAP Result Codes}} of {{REF:RFC4511}}, a copy of which can 
be found in {{F:doc/rfc}} of the OpenLDAP source code.

We have expanded the description of each error in relation to the OpenLDAP 
toolsets.
LDAP extensions may introduce extension-specific result codes, which are not part
of RFC4511.
OpenLDAP returns the result codes related to extensions it implements.
Their meaning is documented in the extension they are related to.

H2:  Non-Error Result Codes

These result codes (called "non-error" result codes) do not indicate
an error condition:

>        success (0),
>        compareFalse (5),
>        compareTrue (6),
>        referral (10), and
>        saslBindInProgress (14).

The {{success}}, {{compareTrue}}, and {{compareFalse}} result codes indicate
successful completion (and, hence, are referred to as "successful"
result codes).

The {{referral}} and {{saslBindInProgress}} result codes indicate the client
needs to take additional action to complete the operation.

H2:  Result Codes

Existing LDAP result codes are described as follows:

H2: success (0)

Indicates the successful completion of an operation.  

Note: this code is not used with the Compare operation.  See {{SECT:compareFalse (5)}} 
and {{SECT:compareTrue (6)}}.

H2: operationsError (1)

Indicates that the operation is not properly sequenced with
relation to other operations (of same or different type).

For example, this code is returned if the client attempts to
StartTLS ({{REF:RFC4511}} Section 4.14) while there are other uncompleted operations
or if a TLS layer was already installed.

H2: protocolError (2)

Indicates the server received data that is not well-formed.

For Bind operation only, this code is also used to indicate
that the server does not support the requested protocol
version.

For Extended operations only, this code is also used to
indicate that the server does not support (by design or
configuration) the Extended operation associated with the
{{requestName}}.

For request operations specifying multiple controls, this may
be used to indicate that the server cannot ignore the order
of the controls as specified, or that the combination of the
specified controls is invalid or unspecified.

H2: timeLimitExceeded (3)

Indicates that the time limit specified by the client was
exceeded before the operation could be completed.

H2: sizeLimitExceeded (4)

Indicates that the size limit specified by the client was
exceeded before the operation could be completed.

H2: compareFalse (5)

Indicates that the Compare operation has successfully
completed and the assertion has evaluated to FALSE or
Undefined.

H2: compareTrue (6)

Indicates that the Compare operation has successfully
completed and the assertion has evaluated to TRUE.

H2: authMethodNotSupported (7)

Indicates that the authentication method or mechanism is not
supported.

H2: strongerAuthRequired (8)

Indicates the server requires strong(er) authentication in
order to complete the operation.

When used with the Notice of Disconnection operation, this
code indicates that the server has detected that an
established security association between the client and
server has unexpectedly failed or been compromised.

H2: referral (10)

Indicates that a referral needs to be chased to complete the
operation (see {{REF:RFC4511}} Section 4.1.10).

H2: adminLimitExceeded (11)

Indicates that an administrative limit has been exceeded.

H2: unavailableCriticalExtension (12)

Indicates a critical control is unrecognized (see {{REF:RFC4511}} Section
4.1.11).

H2: confidentialityRequired (13)

Indicates that data confidentiality protections are required.

H2: saslBindInProgress (14)

Indicates the server requires the client to send a new bind
request, with the same SASL mechanism, to continue the
authentication process (see {{REF:RFC4511}} Section 4.2).

H2: noSuchAttribute (16)

Indicates that the named entry does not contain the specified
attribute or attribute value.

H2: undefinedAttributeType (17)

Indicates that a request field contains an unrecognized
attribute description.

H2: inappropriateMatching (18)

Indicates that an attempt was made (e.g., in an assertion) to
use a matching rule not defined for the attribute type
concerned.

H2: constraintViolation (19)

Indicates that the client supplied an attribute value that
does not conform to the constraints placed upon it by the
data model.

For example, this code is returned when multiple values are
supplied to an attribute that has a SINGLE-VALUE constraint.

H2: attributeOrValueExists (20)

Indicates that the client supplied an attribute or value to
be added to an entry, but the attribute or value already
exists.

H2: invalidAttributeSyntax (21)

Indicates that a purported attribute value does not conform
to the syntax of the attribute.

H2: noSuchObject (32)

Indicates that the object does not exist in the DIT.

H2: aliasProblem (33)

Indicates that an alias problem has occurred.  For example,
the code may used to indicate an alias has been dereferenced
that names no object.

H2: invalidDNSyntax (34)

Indicates that an LDAPDN or RelativeLDAPDN field (e.g., search
base, target entry, ModifyDN newrdn, etc.) of a request does
not conform to the required syntax or contains attribute
values that do not conform to the syntax of the attribute's
type.

H2: aliasDereferencingProblem (36)

Indicates that a problem occurred while dereferencing an
alias.  Typically, an alias was encountered in a situation
where it was not allowed or where access was denied.

H2: inappropriateAuthentication (48)

Indicates the server requires the client that had attempted
to bind anonymously or without supplying credentials to
provide some form of credentials.

H2: invalidCredentials (49)

Indicates that the provided credentials (e.g., the user's name
and password) are invalid.

H2: insufficientAccessRights (50)

Indicates that the client does not have sufficient access
rights to perform the operation.

H2: busy (51)

Indicates that the server is too busy to service the
operation.

H2: unavailable (52)

Indicates that the server is shutting down or a subsystem
necessary to complete the operation is offline.

H2: unwillingToPerform (53)

Indicates that the server is unwilling to perform the
operation.

H2: loopDetect (54)

Indicates that the server has detected an internal loop (e.g.,
while dereferencing aliases or chaining an operation).

H2: namingViolation (64)

Indicates that the entry's name violates naming restrictions.

H2: objectClassViolation (65)

Indicates that the entry violates object class restrictions.

H2: notAllowedOnNonLeaf (66)

Indicates that the operation is inappropriately acting upon a
non-leaf entry.

H2: notAllowedOnRDN (67)

Indicates that the operation is inappropriately attempting to
remove a value that forms the entry's relative distinguished
name.

H2: entryAlreadyExists (68)

Indicates that the request cannot be fulfilled (added, moved,
or renamed) as the target entry already exists.

H2: objectClassModsProhibited (69)

Indicates that an attempt to modify the object class(es) of
an entry's 'objectClass' attribute is prohibited.

For example, this code is returned when a client attempts to
modify the structural object class of an entry.

H2: affectsMultipleDSAs (71)

Indicates that the operation cannot be performed as it would
affect multiple servers (DSAs).

H2: other (80)

Indicates the server has encountered an internal error.