[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
draft-just-ldapv3-rescodes-01.txt
Please publish this second draft of our document entitled "LDAPv3 Result
Codes: Definitions and Appropriate Use".
Comments on this draft would be greatly appreciated.
Changes from -00 include the addition of the following sections:
- Sections 1.1 which describes the relationship to X.500;
- Section 3 which overviews the draft contents; and
- Section 6.1 which indicates the result codes applicable to all
operations.
In addition, there were several smaller changes.
Mike Just
----------------------------------------
Abstract:
The purpose of this document is to describe, in some detail, the
meaning and use of the result codes used with the LDAPv3 protocol.
Of particular importance are the error codes, which represent the
majority of the result codes. This document provides definitions for
each result code, and outlines the expected behaviour of the various
operations with respect to how result codes and in particular, error
conditions should be handled and which specific error code should be
returned.
It is hoped that this document will facilitate interoperability
between clients and servers and the development of intelligent LDAP
clients capable of acting upon the results received from the server.
<<draft-just-ldapv3-rescodes-01.txt>>
Internet Draft Mike Just, Entrust
K. Leclair, Entrust
Jim Sermersheim, Novell
Mark Smith, Netscape
Document: <draft-just-ldapv3-rescodes-01.txt> February, 2000
Category: Standards Track
LDAPv3 Result Codes: Definitions and Appropriate Use
<draft-just-ldapv3-rescodes-01.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [RFC2026].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
1. Abstract
The purpose of this document is to describe, in some detail, the
meaning and use of the result codes used with the LDAPv3 protocol.
Of particular importance are the error codes, which represent the
majority of the result codes. This document provides definitions for
each result code, and outlines the expected behaviour of the various
operations with respect to how result codes and in particular, error
conditions should be handled and which specific error code should be
returned.
It is hoped that this document will facilitate interoperability
between clients and servers and the development of intelligent LDAP
clients capable of acting upon the results received from the server.
1.1 Relationship to X.500
The LDAPv3 RFC [RFC2251] states that "An LDAP server MUST act in
accordance with the X.500(1993) series of ITU recommendations when
providing the service. However, it is not required that an LDAP
server make use of any X.500 protocols in providing this service,
e.g. LDAP can be mapped onto any other directory system so long as
the X.500 data and service model as used in LDAP is not violated in
the LDAP interface." This means that there are two types of LDAP
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 1
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
servers, those that act as a front end to an X.500 directory, and
stand alone LDAP servers which use some other form of repository as
the back end.
Because of differences between X.500 and LDAP there may be some
differences in behaviour between LDAP-only servers and LDAP servers
that act as front ends to X.500 DSAs. One such difference is the
definition of specific access controls for X.500. X.500 defines the
discloseOnError permission, an access control parameter for which
there is currently no equivalent defined for LDAP. If an LDAP server
is acting as a front end to an X.500 DSA then it may return
noSuchObject when the target entry is found but the client does not
have permission to view or modify the entry. Unless the server
implements X.500 style access controls LDAP-only servers should only
return noSuchObject when the target entry is not found until such
time that similar access controls are defined for LDAP only servers.
Because the client may not know what sort of LDAP server it is
communicating with it should not rely on the behaviour of the server
in this respect.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
3. Overview
This document collects and refines the definitions and descriptions
for LDAPv3 result codes, as found in a variety of sources (see
Section 8). In some cases, material from these sources was absent,
inadequate or ambiguous. It is the hope of this document to
present consistent definitions and descriptions of LDAPv3 result
codes.
This document consists of two major sections facilitating information
searches based on either a particular result code, or LDAP operation.
Section 5 presents a glossary for the result codes. Firstly, each is
classified as either an erroneous or non-erroneous result. The
erroneous results, or error codes, are further classified based on
the types of error codes defined in X.511 [X511]. Some
reclassification was performed where appropriate. For each result
code, a definition, and list of operations that could return this
code are given. In addition, Section 5.3 specifies error precedence,
based on error type, as given in X.511 [X511].
Section 6 describes, for each operation, the result codes that could
be returned for that operation. Firstly, Section 6.1 enumerates
those result codes that are applicable to all operations. Within
each remaining section (which is specific to each operation), the
error codes are ordered as to the precedence of their parent type, as
specified in Section 5.3.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 2
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
Also, Appendix A (Section 11) presents a simple matrix that indicates
valid operation/result code pairs in LDAPv3.
4. Table of Contents
1. Abstract........................................................1
1.1 Relationship to X.500...........................................1
2. Conventions used in this document...............................2
3. Overview........................................................2
4. Table of Contents...............................................3
5. Result Codes in LDAPv3..........................................5
5.1 Description of Non-Erroneous Result Codes.......................6
5.1.1 success(0)...................................................6
5.1.2 compareFalse(5)..............................................6
5.1.3 compareTrue(6)...............................................6
5.1.4 referral(10).................................................7
5.1.5 saslBindInProgress(14).......................................7
5.2 Description of Error Codes......................................7
5.2.1 General Error Codes..........................................7
5.2.1.1 operationsError(1).......................................7
5.2.1.2 protocolError(2).........................................8
5.2.1.3 other(80)................................................8
5.2.2 Specific Error Codes.........................................8
5.2.2.1 Attribute Problem Error Codes............................8
5.2.2.1.1 noSuchAttribute(16)...................................8
5.2.2.1.2 undefinedAttributeType(17)............................8
5.2.2.1.3 inappropriateMatching(18).............................9
5.2.2.1.4 constraintViolation(19)...............................9
5.2.2.1.5 attributeOrValueExists(20)............................9
5.2.2.1.6 invalidAttributeSyntax(21)............................9
5.2.2.2 NameProblem Error Codes..................................9
5.2.2.2.1 noSuchObject(32)......................................9
5.2.2.2.2 aliasProblem(33).....................................10
5.2.2.2.3 invalidDNSyntax(34)..................................10
5.2.2.2.4 aliasDereferencingProblem(36)........................10
5.2.2.3 SecurityProblem Error Codes.............................10
5.2.2.3.1 authMethodNotSupported(7)............................10
5.2.2.3.2 strongAuthRequired(8)................................10
5.2.2.3.3 confidentialityRequired(13)..........................11
5.2.2.3.4 inappropriateAuthentication(48)......................11
5.2.2.3.5 invalidCredentials(49)...............................11
5.2.2.3.6 insufficientAccessRights(50).........................11
5.2.2.4 ServiceProblem Error Codes..............................12
5.2.2.4.1 timeLimitExceeded(3).................................12
5.2.2.4.2 sizeLimitExceeded(4).................................12
5.2.2.4.3 adminLimitExceeded(11)...............................12
5.2.2.4.4 unavailableCriticalExtension(12).....................12
5.2.2.4.5 busy(51).............................................13
5.2.2.4.6 unavailable(52)......................................13
5.2.2.4.7 unwillingToPerform(53)...............................13
5.2.2.4.8 loopDetect(54).......................................13
5.2.2.5 UpdateProblem Error Codes...............................13
5.2.2.5.1 namingViolation(64)..................................14
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 3
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
5.2.2.5.2 objectClassViolation(65).............................14
5.2.2.5.3 notAllowedOnNonLeaf(66)..............................14
5.2.2.5.4 notAllowedOnRDN(67)..................................14
5.2.2.5.5 entryAlreadyExists(68)...............................14
5.2.2.5.6 objectClassModsProhibited(69)........................15
5.2.2.5.7 affectsMultipleDSAs(71)..............................15
5.3 Error Precedence...............................................15
6 LDAP Operations.................................................15
6.1 Common Result Codes............................................16
6.1.1 Non-erroneous results.......................................16
6.1.2 Security Errors.............................................16
6.1.3 Service Errors..............................................16
6.1.4 General Errors..............................................17
6.2 Bind Operation Errors..........................................17
6.2.1 Non-erroneous results.......................................17
6.2.2 Name Errors.................................................17
6.2.3 Security Errors.............................................17
6.3 Search Operation Errors........................................17
6.3.1 Name Errors.................................................18
6.3.2 Attribute Errors............................................18
6.3.3 Security Errors.............................................18
6.3.4 Service Errors..............................................18
6.4 Modify Operation Errors........................................19
6.4.1 Name Errors.................................................19
6.4.2 Update Errors...............................................19
6.4.3 Attribute Errors............................................19
6.4.4 Security Errors.............................................20
6.5 Add Operation Errors...........................................20
6.5.1 Name Errors.................................................20
6.5.2 Update Errors...............................................20
6.5.3 Attribute Errors............................................20
6.5.4 Security Errors.............................................21
6.6 Delete Operation Errors........................................21
6.6.1 Name Errors.................................................21
6.6.2 Update Errors...............................................21
6.6.3 Security Errors.............................................21
6.7 ModifyDN Operation Errors......................................21
6.7.1 Name Errors.................................................22
6.7.2 Update Errors...............................................22
6.7.3 Attribute Errors............................................22
6.7.4 Security Errors.............................................23
6.8 Compare Operation Errors.......................................23
6.8.1 Name Errors.................................................23
6.8.2 Attribute Errors............................................23
6.8.3 Security Errors.............................................23
6.8.4 Example.....................................................24
6.9 Extended Operation Errors......................................24
6.10 Operations with no Server Response............................25
6.11 Unsolicited Notification......................................25
7. Security Considerations........................................25
8. References.....................................................25
9. Acknowledgments................................................26
10. Author's Addresses............................................26
11 Appendix A: Operation/Response Matrix..........................27
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 4
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
12 Full Copyright Statement.......................................29
5. Result Codes in LDAPv3
In this section, a glossary of the result codes that may be returned
from a server to a client is provided. This section is meant to
provide a central, unified source for these definitions. RFC 2251
[RFC2251] and X.511 [X511] were primary sources, forming the basis
for the definitions given in this section.
LDAP v3 [RFC2251] defines the following result message for return
from the server to the client, where ?
?new?
? indicates those codes
that were not used in LDAP v2.
LDAPResult ::= SEQUENCE {
resultCode ENUMERATED {
success (0),
operationsError (1),
protocolError (2),
timeLimitExceeded (3),
sizeLimitExceeded (4),
compareFalse (5),
compareTrue (6),
authMethodNotSupported (7),
strongAuthRequired (8),
-- 9 reserved --
referral (10), -- new
adminLimitExceeded (11), -- new
unavailableCriticalExtension (12), -- new
confidentialityRequired (13), -- new
saslBindInProgress (14), -- new
noSuchAttribute (16),
undefinedAttributeType (17),
inappropriateMatching (18),
constraintViolation (19),
attributeOrValueExists (20),
invalidAttributeSyntax (21),
-- 22-31 unused --
noSuchObject (32),
aliasProblem (33),
invalidDNSyntax (34),
-- 35 reserved for undefined isLeaf --
aliasDereferencingProblem (36),
-- 37-47 unused --
inappropriateAuthentication (48),
invalidCredentials (49),
insufficientAccessRights (50),
busy (51),
unavailable (52),
unwillingToPerform (53),
loopDetect (54),
-- 55-63 unused --
namingViolation (64),
objectClassViolation (65),
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 5
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
notAllowedOnNonLeaf (66),
notAllowedOnRDN (67),
entryAlreadyExists (68),
objectClassModsProhibited (69),
-- 70 reserved for CLDAP --
affectsMultipleDSAs (71), -- new
-- 72-79 unused --
other (80) },
-- 81-90 reserved for APIs --
matchedDN LDAPDN,
errorMessage LDAPString,
referral [3] Referral OPTIONAL }
If a client receives a result code that is not listed above, it is to
be treated as an unknown error condition.
The LDAP result includes an errorMessage field, which may, at the
server's option, be used to return a string containing a textual,
human-readable error diagnostic. As this error diagnostic is not
standardized, implementations MUST NOT rely on the values returned.
If the server chooses not to return a textual diagnostic, the
errorMessage field of the LDAPResult type MUST contain a zero length
string.
In the following subsections, definitions for each result code are
provided. In addition, the operations that may return each result
code are also identified. The set of all operations consists of the
following: Bind; Search; Modify; Add; Delete; ModifyDN; Extended; and
Compare.
5.1 Description of Non-Erroneous Result Codes
Five result codes that may be returned in LDAPResult are not used to
indicate an error. These result codes are listed below. The first
three codes, indicate to the client that no further action is
required in order to satisfy their request. In contrast, the last
two errors require further action by the client in order to complete
their original operation request.
5.1.1 success(0)
Applicable operations: all except for Compare.
This result code does not indicate an error. It is returned when the
client operation completed successfully.
5.1.2 compareFalse(5)
Applicable operations: Compare.
This result code does not indicate an error. It is used to indicate
that the result of a Compare operation is FALSE.
5.1.3 compareTrue(6)
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 6
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
Applicable operations: Compare.
This result code does not indicate an error. It is used to indicate
that the result of a Compare operation is TRUE.
5.1.4 referral(10)
Applicable operations: all.
This result code is new in LDAPv3. Rather than indicating an error,
this result code is used to indicate that the server does not hold
the target entry of the request but is able to provide alternative
servers that may. A set of server(s) URLs may be returned in the
referral field, which the client may subsequently query to attempt to
complete their operation.
5.1.5 saslBindInProgress(14)
Applicable operations: Bind.
This result code is new in LDAPv3. This result code is not an error
response from the server, but rather, is a request for bind
continuation. The server requires the client to send a new bind
request, with the same SASL mechanism, to continue the authentication
process [RFC2251, Section 4.2.3].
5.2 Description of Error Codes
General error codes (see Section 5.2.1) are typically returned only
when no suitable specific error exists. Specific error codes (see
Section 5.2.2) are meant to capture situations that are specific to
the requested operation.
5.2.1 General Error Codes
A general error code typically specifies an error condition for which
there is no suitable specific error code. If the server can return an
error, which is more specific than the following general errors, then
the specific error should be returned instead.
5.2.1.1 operationsError(1)
Applicable operations: all.
This error code is returned when the server encounters an internal
error and is unable to respond with a more specific result code, as a
result of this internal error. This may occur, for example, if
sufficient memory to handle a request cannot be allocated by the
server.
Note that an operationsError indicates that the server is unable to
properly respond to a request, but does not indicate that the client
has sent an erroneous message. For example, in the case that a
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 7
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
malformed request is received and the server does not experience an
internal error, a protocol error should be returned (see Section
5.2.1.2).
5.2.1.2 protocolError(2)
Applicable operations: all.
A protocol error should be returned by the server when an invalid or
malformed request is received from the client. This may be a request
that is not recognized as an LDAP request, for example, if a
nonexistent operation were specified in LDAPMessage. As well, it may
be the result of a request that is missing a required parameter, such
as a search filter in a search request. If the server can return an
error, which is more specific than protocolError, then this error
should be returned instead. For example if the server does not
recognize the authentication method requested by the client then the
error authMethodNotSupported should be returned instead of
protocolError. The server may return details of the error in the
error string.
5.2.1.3 other(80)
Applicable operations: all.
This error code should be returned only if no other error code is
suitable. Use of this error code should be avoided if possible.
Details of the error should be provided in the error message.
5.2.2 Specific Error Codes
Specific errors are used to indicate that a particular type of error
has occurred. These error types are Name, Update, Attribute,
Security, and Service.
5.2.2.1 Attribute Problem Error Codes
An attribute error reports a problem related to an attribute
specified by the client in their request message.
5.2.2.1.1 noSuchAttribute(16)
Applicable operations: Modify, Compare.
This error may be returned if the attribute specified as an argument
of the operation does not exist in the entry.
5.2.2.1.2 undefinedAttributeType(17)
Applicable operations: Modify, Add.
This error may be returned if the specified attribute is unrecognized
by the server, since it is not present in the server?s defined
schema. If the server doesn?t recognize an attribute specified in a
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 8
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
search request as the attribute to be returned the server should not
return an error in this case - it should just return values for the
requested attributes it does recognize. Note that this result code
only applies to the Add and Modify operations [X.511, Section 12.4].
5.2.2.1.3 inappropriateMatching(18)
Applicable operations: Search.
An attempt was made, e.g., in a filter, to use a matching rule not
defined for the attribute type concerned [X511, Section 12.4].
5.2.2.1.4 constraintViolation(19)
Applicable operations: Modify, Add, ModifyDN.
This error should be returned by the server if an attribute value
specified by the client violates the constraints placed on the
attribute as it was defined in the DSA - this may be a size
constraint or a constraint on the content.
5.2.2.1.5 attributeOrValueExists(20)
Applicable operations: Modify, Add.
This error should be returned by the server if the value specified by
the client already exists within the attribute.
5.2.2.1.6 invalidAttributeSyntax(21)
Applicable operations: Modify, Add.
This error should be returned by the server if the attribute syntax
for the attribute value, specified as an argument of the operation,
is unrecognized or invalid.
5.2.2.2 NameProblem Error Codes
A name error reports a problem related to the distinguished name
provided as an argument to an operation [X511, Section 12.5].
For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
aliasDereferencingProblem, the matchedDN field is set to the name of
the lowest entry (object or alias) in the directory that was matched.
If no aliases were dereferenced while attempting to locate the entry,
this will be a truncated form of the name provided, or if aliases
were dereferenced, of the resulting name, as defined in section 12.5
of X.511 [X511]. The matchedDN field is to be set to a zero length
string with all other result codes [RFC2251, Section 4.1.10].
5.2.2.2.1 noSuchObject(32)
Applicable operations: all except for Bind.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 9
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
This error should only be returned if the target object cannot be
found. For example, in a search operation if the search base can not
be located in the DSA the server should return noSuchObject. If,
however, the search base is found but does not match the search
filter, success, with no resultant objects, should be returned
instead of noSuchObject.
If the LDAP server is a front end for an X.500 DSA then noSuchObject
may also be returned if discloseOnError is not granted for an entry
and the client does not have permission to view or modify the entry.
5.2.2.2.2 aliasProblem(33)
Applicable operations: Search.
An alias has been dereferenced which names no object [X511, Section
12.5].
5.2.2.2.3 invalidDNSyntax(34)
Applicable operations: all.
This error should be returned by the server if the DN syntax is
incorrect. It should not be returned if the DN is correctly formed
but represents an entry which is not permitted by the structure rules
at the DSA; in this case namingViolation should be returned instead.
5.2.2.2.4 aliasDereferencingProblem(36)
Applicable operations: Search.
An alias was encountered in a situation where it was not allowed or
where access was denied [X511, Section 12.5].
For example, if the client does not have read permission for the
aliasedObjectName attribute and its value then the error
aliasDereferencingProblem should be returned. [X511, Section
7.11.1.1]
5.2.2.3 SecurityProblem Error Codes
A security error reports a problem in carrying out an operation for
security reasons [X511, Section 12.7].
5.2.2.3.1 authMethodNotSupported(7)
Applicable operations: Bind.
This error code should be returned if the client requests, in a Bind
request, an authentication method which is not supported or
recognized by the server.
5.2.2.3.2 strongAuthRequired(8)
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 10
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
Applicable operations: all.
This error may be returned on a bind request if the server only
accepts strong authentication or it may be returned when a client
attempts an operation which requires the client to be strongly
authenticated - for example Delete.
This result code may also be returned in an unsolicited notice of
disconnection if the server detects that an established underlying
security association protecting communication between the client and
server has unexpectedly failed or been compromised. [RFC2251, Section
4.4.1]
5.2.2.3.3 confidentialityRequired(13)
Applicable operations: all.
This error code is new in LDAPv3. This error code may be returned if
the session is not protected by a protocol which provides session
confidentiality. For example, if the client did not establish a TLS
connection using a cipher suite which provides confidentiality of the
session before sending any other requests, and the server requires
session confidentiality then the server may reject that request with
a result code of confidentialityRequired.
5.2.2.3.4 inappropriateAuthentication(48)
Applicable operations: Bind.
This error should be returned by the server when the client has tried
to use a method of authentication that is inappropriate, that is a
method of authentication which the client is unable to use correctly.
In other words, the level of security associated with the requestor?s
credentials is inconsistent with the level of protection requested,
e.g. simple credentials were supplied while strong credentials were
required [X511, Section 12.7].
5.2.2.3.5 invalidCredentials(49)
Applicable operations: Bind.
This error code is returned if the DN or password used in a simple
bind operation is incorrect, or if the DN or password is incorrect
for some other reason, e.g. the password has expired. This result
code only applies to Bind operations -- it should not be returned for
other operations if the client does not have sufficient permission to
perform the requested operation - in this case the return code should
be insufficientAccessRights.
5.2.2.3.6 insufficientAccessRights(50)
Applicable operations: all except for Bind.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 11
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
The requestor does not have the right to carry out the requested
operation [X511, Section 12.7].
5.2.2.4 ServiceProblem Error Codes
A service error reports a problem related to the provision of the
service [X511, Section 12.8].
5.2.2.4.1 timeLimitExceeded(3)
Applicable operations: all.
This error should be returned when the time to perform an operation
has exceeded either the time limit specified by the client (which may
only be set by the client in a search operation) or the limit
specified by the server. If the time limit is exceeded on a search
operation then the result is an arbitrary selection of the
accumulated results [X511, Section 7.5]. Note that an arbitrary
selection of results may mean that no results are returned to the
client.
If the LDAP server is a front end for an X.500 server, any operation
that is chained may exceed the timelimit, therefore clients can
expect to receive timelimitExceeded for all operations. For stand
alone LDAP-Servers that do not implement chaining it is unlikely that
operations other than search operations will exceed the defined
timelimit.
5.2.2.4.2 sizeLimitExceeded(4)
Applicable operations: Search.
This error should be returned when the number of results generated by
a search exceeds the maximum number of results specified by either
the client or the server. If the size limit is exceeded then the
results of a search operation will be an arbitrary selection of the
accumulated results, equal in number to the size limit [X511, Section
7.5].
5.2.2.4.3 adminLimitExceeded(11)
Applicable operations: all.
This error code is new in LDAPv3. The server has reached some limit
set by an administrative authority, and no partial results are
available to return to the user [X511, Section 12.8]. For example,
there may be an administrative limit to the number of entries a
server will check when gathering potential search result candidates
[Net].
5.2.2.4.4 unavailableCriticalExtension(12)
Applicable operations: all.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 12
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
This error code is new in LDAPv3. The server was unable to satisfy
the request because one or more critical extensions were not
available [X511, Section 12.8]. This error is returned, for example,
when a control submitted with a request is marked critical but is not
recognized by a server or when such a control is not appropriate for
the operation type. [RFC2251 section 4.1.12].
5.2.2.4.5 busy(51)
Applicable operations: all.
This error code may be returned if the server is unable to process
the client?s request at this time. This implies that if the client
retries the request shortly the server will be able to process it
then.
5.2.2.4.6 unavailable(52)
Applicable operations: all.
This error code is returned when the server is unavailable to process
the client?s request. This usually means that the LDAP server is
shutting down [RFC2251, Section 4.2.3].
5.2.2.4.7 unwillingToPerform(53)
Applicable operations: all.
This error code should be returned by the server when a client
request is properly formed but which the server is unable to complete
due to server-defined restrictions. For example, the server, or some
part of it, is not prepared to execute this request, e.g. because it
would lead to excessive consumption of resources or violates the
policy of an Administrative Authority involved [X511, Section 12.8].
If the server is able to return a more specific error code such as
adminLimitExceeded it should. This error may also be returned if the
client attempts to modify attributes which can not be modified by
users, e.g., operational attributes such as creatorsName or
createTimestamp [X511, Section 7.12]. If appropriate, details of the
error should be provided in the error message.
5.2.2.4.8 loopDetect(54)
Applicable operations: all.
This error may be returned by the server if it detects an alias or
referral loop, and is unable to satisfy the client?s request.
5.2.2.5 UpdateProblem Error Codes
An update error reports problems related to attempts to add, delete,
or modify information in the DIB [X511, Section 12.9].
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 13
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
5.2.2.5.1 namingViolation(64)
Applicable operations: Add, ModifyDN.
The attempted addition or modification would violate the structure
rules of the DIT as defined in the directory schema and X.501. That
is, it would place an entry as the subordinate of an alias entry, or
in a region of the DIT not permitted to a member of its object class,
or would define an RDN for an entry to include a forbidden attribute
type [X511, Section 12.9].
5.2.2.5.2 objectClassViolation(65)
Applicable operations: Modify, Add, ModifyDN.
This error should be returned if the operation requested by the user
would violate the objectClass requirements for the entry if carried
out. On an add or modify operation this would result from trying to
add an object class without a required attribute, or by trying to add
an attribute which is not permitted by the current object class set
in the entry. On a modify operation this may result from trying to
remove a required attribute without removing the associated auxiliary
object class, or by attempting to remove an object class while the
attributes it permits are still present.
5.2.2.5.3 notAllowedOnNonLeaf(66)
Applicable operations: Delete, ModifyDN.
This operation should be returned if the client attempts to perform
an operation which is permitted only on leaf entries - e.g., if the
client attempts to delete a non-leaf entry. If the directory does
not permit ModifyDN for non-leaf entries then this error may be
returned if the client attempts to change the DN of a non-leaf entry.
(Note that 1988 edition X.500 servers only permitted change of the
RDN of an entry's DN [X.511, Section 11.4.1]).
5.2.2.5.4 notAllowedOnRDN(67)
Applicable operations: Modify.
The attempted operation would affect the RDN (e.g., removal of an
attribute which is a part of the RDN) [X511, Section 12.9]. If the
client attempts to remove from an entry any of its distinguished
values, those values which form the entry's relative distinguished
name the server should return the error notAllowedOnRDN. [RFC2251,
Section 4.6]
5.2.2.5.5 entryAlreadyExists(68)
Applicable operations: Add, ModifyDN.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 14
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
This error should be returned by the server when the client attempts
to add an entry which already exists, or if the client attempts to
rename an entry with the name of an entry which exists.
5.2.2.5.6 objectClassModsProhibited(69)
Applicable operations: Modify.
An operation attempted to modify an object class that should not be
modified, e.g., the structural object class of an entry. Some
servers may not permit object class modifications, especially
modifications to the structural object class since this may change
the entry entirely, name forms, structure rules etc. [X.511, Section
12.9].
5.2.2.5.7 affectsMultipleDSAs(71)
Applicable operations: ModifyDN.
This error code is new for LDAPv3. This error code should be returned
to indicate that the operation could not be performed since it
affects more than one DSA.
X.500 restricts the ModifyDN operation to only affect entries that
are contained within a single server. If the LDAP server is mapped
onto DAP, then this restriction will apply, and the resultCode
affectsMultipleDSAs will be returned if this error occurred. In
general clients MUST NOT expect to be able to perform arbitrary
movements of entries and subtrees between servers [RFC2251, Section
4.9].
5.3 Error Precedence
A server MUST return only a single result code to a client. The
following list specifies the precedence of errors in the case that
more than one error is detected [X511]:
1. Specific Errors;
i. Name Errors;
ii. Update Errors;
iii. Attribute Errors;
iv. Security Errors;
v. Service Errors;
2. General Errors.
6 LDAP Operations
LDAP v3 [RFC2251] defines the following LDAPMessage for conveyance of
the intended operation request from the client to the server.
LDAPMessage ::= SEQUENCE {
messageID MessageID,
protocolOp CHOICE {
bindRequest BindRequest,
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 15
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
bindResponse BindResponse,
unbindRequest UnbindRequest,
searchRequest SearchRequest,
searchResEntry SearchResultEntry,
searchResDone SearchResultDone,
searchResRef SearchResultReference,
modifyRequest ModifyRequest,
modifyResponse ModifyResponse,
addRequest AddRequest,
addResponse AddResponse,
delRequest DelRequest,
delResponse DelResponse,
modDNRequest ModifyDNRequest,
modDNResponse ModifyDNResponse,
compareRequest CompareRequest,
compareResponse CompareResponse,
abandonRequest AbandonRequest,
extendedReq ExtendedRequest,
extendedResp ExtendedResponse },
controls [0] Controls OPTIONAL }
MessageID ::= INTEGER (0 .. maxInt)
maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) -
Starting in Section 6.2, behaviour regarding the return of each
result code is specified for each operation. Section 6.1 indicates
those result codes that are typically applicable to all operations.
6.1 Common Result Codes
The following result codes are applicable to, and may be returned in
response to all operations (except where stated otherwise).
6.1.1 Non-erroneous results
For all but a Compare operation, a success(0) result code will be
returned in the case that the requested operation succeeds; a
compareTrue would be returned for a Compare operation. For each
operation, the server may return referral(10), as defined in Section
5.1.4.
6.1.2 Security Errors
Of the six possible security errors, two may be returned in response
to every operation. These two errors are strongAuthRequired(8) and
confidentialityRequired(13).
6.1.3 Service Errors
All service errors, except sizeLimitExceeded(4) may be returned in
response to any LDAP v3 operation. sizeLimitExceeded is only
applicable to the Search operation.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 16
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
6.1.4 General Errors
All general errors are applicable to all operations. The list of
general errors includes operationsError, protocolError, and other.
6.2 Bind Operation Errors
If the bind operation succeeds then a result code of success will be
returned to the client. If the server does not hold the target entry
of the request, a referral(10) may be returned. If the operation
fails then the result code will be one of the following from the set
of non-erroneous result, name errors, security errors, service
errors, and general errors.
If the server does not support the client's requested protocol
version, it MUST set the resultCode to protocolError.
If the client receives a BindResponse response where the resultCode
was protocolError, it MUST close the connection as the server will be
unwilling to accept further operations. (This is for compatibility
with earlier versions of LDAP, in which the bind was always the first
operation, and there was no negotiation.) [RFC2251, Section 5.2.3]
The remaining errors listed in this section are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.2.1 Non-erroneous results
In addition to success or referral, the following non-erroneous
result code may be returned:
saslBindInProgress: the server requires the client to send a new bind
request, with the same sasl mechanism, to continue the authentication
process,
6.2.2 Name Errors
invalidDNSyntax: the DN provided does not have the correct syntax,
6.2.3 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
authMethodNotSupported: unrecognized SASL mechanism name,
inappropriateAuthentication: the server requires the client which had
attempted to bind anonymously or without supplying credentials to
provide some form of credentials,
invalidCredentials: the wrong password was supplied or the SASL
credentials could not be processed, [RFC2251, Section 4.2.3]
6.3 Search Operation Errors
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 17
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
X.500 provides three separate operations for searching the directory
- Read of a single entry, List of an entry?s children and search of
an entire sub-tree. LDAP provides a single search operation, however
the X.500 operations can be simulated by using base, one-level and
sub-tree scope restrictions respectively.
If the Search operation succeeds then zero or more search entries
will be returned followed by a search result of success. If the
server does not hold the target entry of the request, a referral(10)
may be returned. If the search operation fails then zero or more
search entries will be returned followed by a search result
containing one of the following result codes from the set of name
errors, attribute errors, security errors, service errors, and
general errors.
The remaining errors listed in this section are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.3.1 Name Errors
noSuchObject: the base object, for the search, does not exist.
aliasProblem: an alias was dereferenced which named no object.
invalidDNSyntax: the DN provided for the search base does not have
the correct syntax,
aliasDereferenceProblem: The client does not have permission for the
aliasedObjectName attribute or to search the dereferenced alias
object.
6.3.2 Attribute Errors
inappropriateMatching: an attempt was made to use a matching rule not
defined for an attribute in the search filter.
6.3.3 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
insufficientAccessRights: The requestor does not have sufficient
permissions to perform the search.
6.3.4 Service Errors
In addition to the common service errors indicated in Section 6.1.3,
the following service error may also be returned:
sizeLimitExceeded: the number of search results exceeds the size
limit specified by the client or the server. If the server has
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 18
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
defined a maximum PDU size, this error may also be returned if the
size of the combined results exceeds this limit.
6.4 Modify Operation Errors
The Modify operation cannot be used to remove from an entry any of
its distinguished values, those values that form the entry's relative
distinguished name. An attempt to do so will result in the server
returning the error notAllowedOnRDN. The Modify DN Operation
described in section 5.9 is used to rename an entry. [RFC2251,
Section 4.6]
If the modify operation succeeds, a result code of success will be
returned to the client. If the server does not hold the target entry
of the request, a referral(10) may be returned. If the operation
fails, the result code will be one of the following from the set of
name errors, update errors, attribute errors, security errors,
service errors, and general errors.
The remaining errors listed in this section, are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.4.1 Name Errors
noSuchObject: the target object does not exist.
invalidDNSyntax: the DN provided does not have the correct syntax,
6.4.2 Update Errors
objectClassViolation: An attempt was made to modify an object which
is illegal according to its object class definition in the schema or
DIT content rules for that object class.
notAllowedOnRDN: An attempt was made to modify the object entry?s
distinguished name
objectClassModsProhibited: The modification attempted to change an
entry?s object class which is not allowed.
6.4.3 Attribute Errors
noSuchAttribute: the attribute to be modified does not exist in the
target entry.
undefinedAttributeType: The attribute specified does not exist in the
server's defined schema.
constraintViolation: The modification would create an attribute value
outside the normal bounds.
attributeOrValueExists: The modification would create a value which
already exists within the attribute.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 19
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
invalidAttributeSyntax: The value specified doesn?t adhere to the
syntax definition for that attribute.
6.4.4 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
insufficientAccessRights: The requestor does not have sufficient
permissions to modify the entry.
6.5 Add Operation Errors
The superior of the entry must exist for the operation to succeed. If
not, a noSuchObject error is returned and the matchedDN field will
contain the name of the lowest entry in the directory that was
matched.
If the add operation succeeds, a result code of success will be
returned to the client. If the server does not hold the target entry
of the request, a referral(10) may be returned. If the operation
fails, the result code will be one of the following from the set of
name errors, update errors, attribute errors, security errors,
service errors, and general errors.
The remaining errors listed in this section, are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.5.1 Name Errors
noSuchObject: One or more superiors to the target entry do not exist.
invalidDNSyntax: the DN provided does not have the correct syntax,
6.5.2 Update Errors
namingViolation: Either the target entry cannot be created under the
specified superior due to DIT structure rules, or the target entry is
named by an RDN not permitted by the DIT name form rule for its
object class.
objectClassViolation: An attempt was made to add an entry and one of
the following conditions existed: A required attribute was not
specified; an attribute was specified which is not permitted by the
current object class set in the entry; a structural object class
value was not specified; an object class value was specified that
doesn?t exist in the schema.
entryAlreadyExists: The target entry already exists.
6.5.3 Attribute Errors
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 20
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
undefinedAttributeType: The attribute specified does not exist in the
server's defined schema.
constraintViolation: The attribute value falls outside the bounds
specified by the attribute syntax.
attributeOrValueExists: A duplicate attribute value appears in the
list of attributes for the entry.
invalidAttributeSyntax: The value specified doesn?t adhere to the
syntax definition for that attribute.
6.5.4 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
insufficientAccessRights: The requestor does not have sufficient
permissions to either add the entry or to add one or more of the
attributes specified.
6.6 Delete Operation Errors
If the delete operation succeeds, a result code of success will be
returned to the client. If the server does not hold the target entry
of the request, a referral(10) may be returned. If the operation
fails, the result code will be one of the following from the set of
name errors, update errors, security errors, service errors, and
general errors.
The remaining errors listed in this section, are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.6.1 Name Errors
noSuchObject: The target entry does not exist.
invalidDNSyntax: the DN provided does not have the correct syntax,
6.6.2 Update Errors
notAllowedOnNonLeaf: The target entry is not a leaf object. Only
objects having no subordinate objects in the tree may be deleted.
6.6.3 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
insufficientAccessRights: The requestor does not have sufficient
permissions to delete the entry.
6.7 ModifyDN Operation Errors
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 21
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
Note that X.500 restricts the ModifyDN operation to only affect
entries that are contained within a single server. If the LDAP server
is mapped onto DAP, then this restriction will apply, and the
resultCode affectsMultipleDSAs will be returned if this error
occurred. In general clients MUST NOT expect to be able to perform
arbitrary movements of entries and subtrees between servers.
[RFC2251, Section 4.9]
If the Modify DN operation succeeds then a result code of success
will be returned to the client. If the server does not hold the
target entry of the request, a referral(10) may be returned. If the
operation fails then the result code will be one of the following
from the set of name errors, update errors, attribute errors,
security errors, service errors, and general errors.
The remaining errors listed in this section, are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.7.1 Name Errors
noSuchObject: the target object does not exist or a new superior
object was specified that does not exist.
invalidDNSyntax: the DN provided does not have the correct syntax.
6.7.2 Update Errors
namingViolation: Either the target entry cannot be moved to the
specified superior due to DIT structure rules, or the target entry is
named by an RDN not permitted by the DIT name form rule for its
object class.
objectClassViolation: The client has specified that the old RDN
values should be removed from the entry (using the 'deleteOldRdn'
parameter) but the removal of these values would violate the entry's
schema. [RFC 2251 Section 4.9]
notAllowedOnNonLeaf: If the server does not permit the ModifyDN
operation on non-leaf entries this error will be returned if the
client attempts to rename a non-leaf entry
entryAlreadyExists: The target entry already exists.
AffectsMultipleDSAs: X.500 restricts the ModifyDN operation to only
affect entries that are contained within a single server. If the LDAP
server is mapped onto DAP, then this restriction will apply, and the
resultCode affectsMultipleDSAs will be returned if this error
occurred. In general clients MUST NOT expect to be able to perform
arbitrary movements of entries and sub-trees between servers.
[RFC2251, Section 4.9]
6.7.3 Attribute Errors
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 22
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
constraintViolation: The operation would create an attribute value
outside the normal bounds.
6.7.4 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
insufficientAccessRights: The requestor does not have sufficient
permissions to either add the entry or to add one or more of the
attributes specified.
6.8 Compare Operation Errors
If there exists a value within the attribute being compared that
matches the purported argument and for which compare permissions is
granted, the operation returns the value compareTrue in the result,
otherwise, the operation returns compareFalse. [X511, Section 9.2.4]
If the server does not hold the target entry of the request, a
referral(10) may be returned.
If the compare operation can not be completed, then the server may
return one of the following results from the set of name errors,
attribute errors, security errors, service errors, and general
errors.
The remaining errors listed in this section are operation-specific.
An operation may also result in the return of any of the common
errors, as listed in Section 6.1.
6.8.1 Name Errors
noSuchObject: the entry to be compared does not exist in the
directory.
invalidDNSyntax: the DN provided for the entry to be compared does
not have the correct syntax.
6.8.2 Attribute Errors
noSuchAttribute: the attribute to be compared does not exist in the
target entry.
invalidAttributeSyntax: The value specified doesn?t adhere to the
syntax definition for that attribute.
6.8.3 Security Errors
As stated in Section 6.1.2, strongAuthRequired(8) and
confidentialityRequired(13) may be returned for any operation.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 23
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
insufficientAccessRights: If the client does not have read permission
for the entry to be compared, or for the attribute then
insufficientAccessRights should be returned, [X511, Section 9.2.4]
6.8.4 Example
The following example is included to demonstrate the expected
responses for the compare operation.
Given the following entry:
dn: cn=Foo
objectClass: top
objectClass: person
sn: bar
userPassword: xyz
i) Compare with userPassword=xyz results in a compareTrue because the
requested value exists in the entry.
ii) Compare with userPassword=abc results in a compareFalse because
the entry contains a userPassword attribute but the value abc is not
present.
iii) Compare with telephoneNumber=123-456-7890 results in a
noSuchAttribute. The attribute telephoneNumber is permissible in the
entry based on the schema defined in the server but because it is
empty it does not exist in the target entry.
iv) Compare with ou=myOrg results in noSuchAttribute. The requested
attribute is a recognized attribute but it is neither present nor is
it valid for the target entry.
v) Compare with bogusAttr=abc results in noSuchAttribute. The
requested attribute is not a recognized attribute nor is it present
in the target entry.
Note that the response for scenarios 3 through 5 is always
noSuchAttribute. The semantics of the compare operation is simply
?
?does the target entry contain the specified value??
? and so no
distinction is made between a request for an unknown, invalid, or,
valid but empty attribute. In all cases if the attribute is not
present in the entry then the result is noSuchAttribute.
6.9 Extended Operation Errors
The results returned for an extended operation vary, depending on the
particular operation. At least, the general responses that apply to
every operation will certainly apply to an extended operation. The
precedence of error codes, as described in Section 5.3, applies as
well to any extended operation.
If the server does not recognize the request name, it MUST return
only the response fields from LDAPResult, containing the
protocolError result code [RFC2251, Section 4.12]
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 24
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
6.10 Operations with no Server Response
The LDAP v3 protocol has two client operations for which no server
response is returned. Specifically, these are unbindRequest, and
abandonRequest. Since no response is returned, there is no need to
consider possible result codes for these operations.
6.11 Unsolicited Notification
In some situations, a server may issue a ?
?response?
? to a client for
which there was no client request. This notification ?
?is used to
signal an extraordinary condition in the server or in the connection
between the client and the server. The notification is of an
advisory nature, and the server will not expect any response to be
returned from the client.?
? [RFC2251, Section 4.4]
RFC 2251 [RFC2251] describes a notice of disconnection in which a
protocolError, strongAuthRequired, or unavailable result code may be
returned. The reader is directed there for further information.
7. Security Considerations
This draft is meant to complement and enhance the coverage of result
codes for LDAP v3, as described in RFC 2251 [RFC2251]. Section 7 of
RFC 2251 [RFC2251] lists a number of security considerations specific
to LDAP v3.
Note that in X.500 if the discloseOnError permission is not granted
then many operations will return noSuchObject instead of a more
specific error. As there is currently no equivalent for this
permission in LDAP, LDAP-only servers should return the appropriate
error code in the event of an error.
8. References
[RFC2026] S. Bradner, ?
?The Internet Standards Process - Revision
3?
?, RFC 2026, October 1996.
[RFC2119] S. Bradner, ?
?Key words for use in RFCs to Indicate
Requirement Levels?
?, RFC 2119, March 1997.
[RFC2251] M. Wahl, T. Howes, S. Kille, ?
?Lightweight Directory
Access Protocol?
?, RFC 2251, December 1997.
[X511] ITU-T Recommendation X.511, ?
?The Directory: Abstract
Service Definition?
?, 1993.
[TLS] J. Hodges, R.L. Morgan, M. Wahl, ?
?Lightweight Directory
Access Protocol (v3): Extension for Transport Layer
Security?
?, June 1999. <draft-ietf-ldapext-ldapv3-tls-
05.txt> "work in progress"
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 25
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
[Net] Netscape Directory SDK 3.0 for C Programmer?s Guide,
Chapter 19: Result Codes. Available at Error! Bookmark
not defined.
9. Acknowledgments
The production of this document relied heavily on the information
available from RFC 2251 [RFC2251] and ITU-T Recommendation X.511
[X511].
10. Author's Addresses
Mike Just
Entrust Technologies
750 Heron Rd, Tower E
Ottawa, Ontario, Canada
mike.just@entrust.com
Kristianne Leclair
Entrust Technologies
750 Heron Rd, Tower E
Ottawa, Ontario, Canada
kristianne.leclair@entrust.com
Jim Sermersheim
Novell
122 East 1700 South
Provo, Utah 84606, USA
Error! Bookmark not defined.
Mark Smith
Netscape
501 Ellis Street
Mountain View, CA 94043
Error! Bookmark not defined.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 26
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
11 Appendix A: Operation/Response Matrix
Result Codes Operations
B S M A D M C
i e o d e o o
n a d d l d m
d r i e D p
c f t N a
h y e r
e
Non-erroneous results
success (0) X X X X X X
compareFalse (5) X
compareTrue (6) X
referral (10) X X X X X X X
SaslBindInProgress (14) X
Name errors
noSuchObject (32) X X X X X X
aliasProblem (33) X
InvalidDNSyntax (34) X X X X X X X
AliasDereferencingProblem X
(36)
Update errors
namingViolation (64) X X
objectClassViolation (65) X X X
notAllowedOnNonLeaf (66) X X
notAllowedonRDN (67) X
entryAlreadyExists (68) X X
objectClassModesProhibite X
d (69)
affectsMultipleDSAs (71) X
Attribute errors
NoSuchAttribute(16) X X
UndefinedAttributeType X X
(17)
InappropriateMatching X
(18)
ConstraintViolation (19) X X X
AttributeOrValueExists X X
(20)
InvalidAttributeSyntax X X
(21)
Security errors
AuthMethodNotSupported X
(7)
StrongAuthRequired (8) X X X X X X X
ConfidentialityRequred(13 X X X X X X X
)
InappropriateAuthenticati X
on (48)
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 27
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
InvalidCredentials (49) X
InsufficientAccessRights X X X X X X
(50)
Service errors
TimeLimitExceeded (3) X X X X X X X
SizeLimitExceeded (4) X
AdminLimitExceeded (11) X X X X X X X
UnavailableCriticialExten X X X X X X X
sion (12)
busy (51) X X X X X X X
unavailable (52) X X X X X X X
unwillingToPerform (53) X X X X X X X
loopDetect (54) X X X X X X X
General errors
OperationsError (1) X X X X X X X
protocolError (2) X X X X X X X
other (80) X X X X X X X
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 28
�
LDAPv3 Result Codes: Definitions and Appropriate Use Feb, 2000
12 Full Copyright Statement
Copyright (C) The Internet Society (Oct 1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERINGTASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDINGBUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATIONHEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 29
�