2 Internet Draft Mike Just, Entrust
4 Jim Sermersheim, Novell
6 Document: <draft-just-ldapv3-rescodes-02.txt> April, 2000
7 Category: Standards Track
10 LDAPv3 Result Codes: Definitions and Appropriate Use
11 <draft-just-ldapv3-rescodes-02.txt>
16 This document is an Internet-Draft and is in full conformance with
17 all provisions of Section 10 of RFC2026 [RFC2026].
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that other
21 groups may also distribute working documents as Internet-Drafts.
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet- Drafts as reference
25 material or to cite them other than as "work in progress."
27 The list of current Internet-Drafts can be accessed at
28 http://www.ietf.org/ietf/1id-abstracts.txt
29 The list of Internet-Draft Shadow Directories can be accessed at
30 http://www.ietf.org/shadow.html.
34 The purpose of this document is to describe, in some detail, the
35 meaning and use of the result codes used with the LDAPv3 protocol.
36 Of particular importance are the error codes, which represent the
37 majority of the result codes. This document provides definitions for
38 each result code, and outlines the expected behaviour of the various
39 operations with respect to how result codes and in particular, error
40 conditions should be handled and which specific error code should be
43 It is hoped that this document will facilitate interoperability
44 between clients and servers and the development of intelligent LDAP
45 clients capable of acting upon the results received from the server.
47 1.1 Relationship to X.500
49 The LDAPv3 RFC [RFC2251] states that "An LDAP server MUST act in
50 accordance with the X.500(1993) series of ITU recommendations when
51 providing the service. However, it is not required that an LDAP
52 server make use of any X.500 protocols in providing this service,
53 e.g. LDAP can be mapped onto any other directory system so long as
54 the X.500 data and service model as used in LDAP is not violated in
55 the LDAP interface." This means that there are two types of LDAP
57 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 1
60 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
62 servers, those that act as a front end to an X.500 directory, and
63 stand alone LDAP servers which use some other form of repository as
66 Because of differences between X.500 and LDAP there may be some
67 differences in behaviour between LDAP-only servers and LDAP servers
68 that act as front ends to X.500 DSAs. One such difference is the
69 definition of specific access controls for X.500. X.500 defines the
70 discloseOnError permission, an access control parameter for which
71 there is currently no equivalent defined for LDAP. If an LDAP server
72 is acting as a front end to an X.500 DSA then it may return
73 noSuchObject when the target entry is found but the client does not
74 have permission to view or modify the entry. Unless the server
75 implements X.500 style access controls LDAP-only servers should only
76 return noSuchObject when the target entry is not found until such
77 time that similar access controls are defined for LDAP only servers.
78 Because the client may not know what sort of LDAP server it is
79 communicating with it should not rely on the behaviour of the server
82 2. Conventions used in this document
84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
86 document are to be interpreted as described in RFC-2119 [RFC2119].
90 This document collects and refines the definitions and descriptions
91 for LDAPv3 result codes, as found in a variety of sources (see
92 Section 8). In some cases, material from these sources was absent,
93 inadequate or ambiguous. It is the hope of this document to present
94 consistent definitions and descriptions of LDAPv3 result codes.
96 This document consists of two major sections facilitating information
97 searches based on either a particular result code, or LDAP operation.
99 Section 5 presents a glossary for the result codes. Firstly, each is
100 classified as either an erroneous or non-erroneous result. The
101 erroneous results, or error codes, are further classified based on
102 the types of error codes defined in X.511 [X511]. Some
103 reclassification was performed where appropriate. For each result
104 code, a definition, and list of operations that could return this
107 Section 6 describes, for each operation, the result codes that could
108 be returned for that operation. Firstly, Section 6.1 enumerates
109 those result codes that are applicable to all operations. Within
110 each remaining section (which is specific to each operation), the
111 error codes that are specific to that operation (in addition to the
112 result codes specified in Section 6.1) are presented.
114 Also, Appendix A (Section 11) presents a simple matrix that indicates
115 valid operation/result code pairs in LDAPv3.
117 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 2
120 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
125 1. Abstract........................................................1
126 1.1 Relationship to X.500...........................................1
127 2. Conventions used in this document...............................2
128 3. Overview........................................................2
129 4. Table of Contents...............................................3
130 5. Result Codes in LDAPv3..........................................4
131 5.1 Description of Non-Erroneous Result Codes.......................6
132 5.1.1 success(0)...................................................6
133 5.1.2 compareFalse(5)..............................................6
134 5.1.3 compareTrue(6)...............................................6
135 5.1.4 referral(10).................................................7
136 5.1.5 saslBindInProgress(14).......................................7
137 5.2 Description of Error Codes......................................7
138 5.2.1 General Error Codes..........................................7
139 5.2.1.1 other(80)................................................7
140 5.2.2 Specific Error Codes.........................................7
141 5.2.2.1 Attribute Problem Error Codes............................7
142 5.2.2.1.1 noSuchAttribute(16)...................................8
143 5.2.2.1.2 undefinedAttributeType(17)............................8
144 5.2.2.1.3 inappropriateMatching(18).............................8
145 5.2.2.1.4 constraintViolation(19)...............................8
146 5.2.2.1.5 attributeOrValueExists(20)............................8
147 5.2.2.1.6 invalidAttributeSyntax(21)............................8
148 5.2.2.2 NameProblem Error Codes..................................9
149 5.2.2.2.1 noSuchObject(32)......................................9
150 5.2.2.2.2 aliasProblem(33)......................................9
151 5.2.2.2.3 invalidDNSyntax(34)...................................9
152 5.2.2.3 SecurityProblem Error Codes..............................9
153 5.2.2.3.1 authMethodNotSupported(7).............................9
154 5.2.2.3.2 strongAuthRequired(8)................................10
155 5.2.2.3.3 confidentialityRequired(13)..........................10
156 5.2.2.3.4 aliasDereferencingProblem(36)........................10
157 5.2.2.3.5 inappropriateAuthentication(48)......................10
158 5.2.2.3.6 invalidCredentials(49)...............................11
159 5.2.2.3.7 insufficientAccessRights(50).........................11
160 5.2.2.4 ServiceProblem Error Codes..............................11
161 5.2.2.4.1 operationsError(1)...................................11
162 5.2.2.4.2 protocolError(2).....................................11
163 5.2.2.4.3 timeLimitExceeded(3).................................12
164 5.2.2.4.4 sizeLimitExceeded(4).................................12
165 5.2.2.4.5 adminLimitExceeded(11)...............................12
166 5.2.2.4.6 unavailableCriticalExtension(12).....................12
167 5.2.2.4.7 busy(51).............................................13
168 5.2.2.4.8 unavailable(52)......................................13
169 5.2.2.4.9 unwillingToPerform(53)...............................13
170 5.2.2.4.10 loopDetect(54)......................................13
171 5.2.2.5 UpdateProblem Error Codes...............................13
172 5.2.2.5.1 namingViolation(64)..................................13
173 5.2.2.5.2 objectClassViolation(65).............................14
174 5.2.2.5.3 notAllowedOnNonLeaf(66)..............................14
175 5.2.2.5.4 notAllowedOnRDN(67)..................................14
177 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 3
180 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
182 5.2.2.5.5 entryAlreadyExists(68)...............................14
183 5.2.2.5.6 objectClassModsProhibited(69)........................14
184 5.2.2.5.7 affectsMultipleDSAs(71)..............................15
185 6 LDAP Operations.................................................15
186 6.1 Common Result Codes............................................16
187 6.1.1 Non-erroneous results.......................................16
188 6.1.2 Security Errors.............................................16
189 6.1.3 Service Errors..............................................16
190 6.1.4 General Errors..............................................16
191 6.2 Bind Operation Errors..........................................16
192 6.2.1 Non-erroneous results.......................................17
193 6.2.2 Name Errors.................................................17
194 6.2.3 Security Errors.............................................17
195 6.3 Search Operation Errors........................................17
196 6.3.1 Name Errors.................................................18
197 6.3.2 Attribute Errors............................................18
198 6.3.3 Security Errors.............................................18
199 6.3.4 Service Errors..............................................18
200 6.4 Modify Operation Errors........................................18
201 6.4.1 Name Errors.................................................19
202 6.4.2 Update Errors...............................................19
203 6.4.3 Attribute Errors............................................19
204 6.4.4 Security Errors.............................................19
205 6.5 Add Operation Errors...........................................19
206 6.5.1 Name Errors.................................................20
207 6.5.2 Update Errors...............................................20
208 6.5.3 Attribute Errors............................................20
209 6.5.4 Security Errors.............................................20
210 6.6 Delete Operation Errors........................................21
211 6.6.1 Name Errors.................................................21
212 6.6.2 Update Errors...............................................21
213 6.6.3 Security Errors.............................................21
214 6.7 ModifyDN Operation Errors......................................21
215 6.7.1 Name Errors.................................................22
216 6.7.2 Update Errors...............................................22
217 6.7.3 Attribute Errors............................................22
218 6.7.4 Security Errors.............................................22
219 6.8 Compare Operation Errors.......................................22
220 6.8.1 Name Errors.................................................23
221 6.8.2 Attribute Errors............................................23
222 6.8.3 Security Errors.............................................23
223 6.8.4 Example.....................................................23
224 6.9 Extended Operation Errors......................................24
225 6.10 Operations with no Server Response............................24
226 6.11 Unsolicited Notification......................................24
227 6.12 Controls......................................................25
228 7. Security Considerations........................................25
229 8. References.....................................................25
230 9. Acknowledgments................................................25
231 10. Author's Addresses............................................26
232 11 Appendix A: Operation/Response Matrix..........................27
233 12 Full Copyright Statement.......................................29
235 5. Result Codes in LDAPv3
237 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 4
240 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
243 In this section, a glossary of the result codes that may be returned
244 from a server to a client is provided. This section is meant to
245 provide a central, unified source for these definitions. RFC 2251
246 [RFC2251] and X.511 [X511] were primary sources, forming the basis
247 for the definitions given in this section.
249 LDAP v3 [RFC2251] defines the following result message for return
250 from the server to the client, where "new" indicates those codes that
251 were not used in LDAP v2.
253 LDAPResult ::= SEQUENCE {
254 resultCode ENUMERATED {
258 timeLimitExceeded (3),
259 sizeLimitExceeded (4),
262 authMethodNotSupported (7),
263 strongAuthRequired (8),
265 referral (10), -- new
266 adminLimitExceeded (11), -- new
267 unavailableCriticalExtension (12), -- new
268 confidentialityRequired (13), -- new
269 saslBindInProgress (14), -- new
270 noSuchAttribute (16),
271 undefinedAttributeType (17),
272 inappropriateMatching (18),
273 constraintViolation (19),
274 attributeOrValueExists (20),
275 invalidAttributeSyntax (21),
279 invalidDNSyntax (34),
280 -- 35 reserved for undefined isLeaf --
281 aliasDereferencingProblem (36),
283 inappropriateAuthentication (48),
284 invalidCredentials (49),
285 insufficientAccessRights (50),
288 unwillingToPerform (53),
291 namingViolation (64),
292 objectClassViolation (65),
293 notAllowedOnNonLeaf (66),
294 notAllowedOnRDN (67),
295 entryAlreadyExists (68),
297 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 5
300 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
302 objectClassModsProhibited (69),
303 -- 70 reserved for CLDAP --
304 affectsMultipleDSAs (71), -- new
307 -- 81-90 reserved for APIs --
309 errorMessage LDAPString,
310 referral [3] Referral OPTIONAL }
312 If a client receives a result code that is not listed above, it is to
313 be treated as an unknown error condition. A server MUST NOT return an
314 API result code (81-90).
316 The LDAP result includes an errorMessage field, which may, at the
317 server's option, be used to return a string containing a textual,
318 human-readable error diagnostic. As this error diagnostic is not
319 standardized, implementations MUST NOT rely on the values returned.
320 If the server chooses not to return a textual diagnostic, the
321 errorMessage field of the LDAPResult type MUST contain a zero length
324 In the following subsections, definitions for each result code are
325 provided. In addition, the operations that may return each result
326 code are also identified. The set of all operations consists of the
327 following: Bind; Search; Modify; Add; Delete; ModifyDN; Extended; and
330 5.1 Description of Non-Erroneous Result Codes
332 Five result codes that may be returned in LDAPResult are not used to
333 indicate an error. These result codes are listed below. The first
334 three codes, indicate to the client that no further action is
335 required in order to satisfy their request. In contrast, the last
336 two errors require further action by the client in order to complete
337 their original operation request.
341 Applicable operations: all except for Compare.
343 This result code does not indicate an error. It is returned when the
344 client operation completed successfully.
346 5.1.2 compareFalse(5)
348 Applicable operations: Compare.
350 This result code does not indicate an error. It is used to indicate
351 that the result of a Compare operation is FALSE.
355 Applicable operations: Compare.
357 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 6
360 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
363 This result code does not indicate an error. It is used to indicate
364 that the result of a Compare operation is TRUE.
368 Applicable operations: all.
370 This result code is new in LDAPv3. Rather than indicating an error,
371 this result code is used to indicate that the server does not hold
372 the target entry of the request but is able to provide alternative
373 servers that may. A set of server(s) URLs may be returned in the
374 referral field, which the client may subsequently query to attempt to
375 complete their operation.
377 5.1.5 saslBindInProgress(14)
379 Applicable operations: Bind.
381 This result code is new in LDAPv3. This result code is not an error
382 response from the server, but rather, is a request for bind
383 continuation. The server requires the client to send a new bind
384 request, with the same SASL mechanism, to continue the authentication
385 process [RFC2251, Section 4.2.3].
387 5.2 Description of Error Codes
389 General error codes (see Section 5.2.1) are typically returned only
390 when no suitable specific error exists. Specific error codes (see
391 Section 5.2.2) are meant to capture situations that are specific to
392 the requested operation.
394 5.2.1 General Error Codes
396 A general error code typically specifies an error condition for which
397 there is no suitable specific error code. If the server can return an
398 error, which is more specific than the following general errors, then
399 the specific error should be returned instead.
403 Applicable operations: all.
405 This error code should be returned only if no other error code is
406 suitable. Use of this error code should be avoided if possible.
407 Details of the error should be provided in the error message.
409 5.2.2 Specific Error Codes
411 Specific errors are used to indicate that a particular type of error
412 has occurred. These error types are Name, Update, Attribute,
413 Security, and Service.
415 5.2.2.1 Attribute Problem Error Codes
417 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 7
420 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
423 An attribute error reports a problem related to an attribute
424 specified by the client in their request message.
426 5.2.2.1.1 noSuchAttribute(16)
428 Applicable operations: Modify, Compare.
430 This error may be returned if the attribute specified as an argument
431 of the operation does not exist in the entry.
433 5.2.2.1.2 undefinedAttributeType(17)
435 Applicable operations: Modify, Add.
437 This error may be returned if the specified attribute is unrecognized
438 by the server, since it is not present in the serverÆs defined
439 schema. If the server doesnÆt recognize an attribute specified in a
440 search request as the attribute to be returned the server should not
441 return an error in this case - it should just return values for the
442 requested attributes it does recognize. Note that this result code
443 only applies to the Add and Modify operations [X.511, Section 12.4].
445 5.2.2.1.3 inappropriateMatching(18)
447 Applicable operations: Search.
449 An attempt was made, e.g., in a filter, to use a matching rule not
450 defined for the attribute type concerned [X511, Section 12.4].
452 5.2.2.1.4 constraintViolation(19)
454 Applicable operations: Modify, Add, ModifyDN.
456 This error should be returned by the server if an attribute value
457 specified by the client violates the constraints placed on the
458 attribute as it was defined in the DSA - this may be a size
459 constraint or a constraint on the content.
461 5.2.2.1.5 attributeOrValueExists(20)
463 Applicable operations: Modify, Add.
465 This error should be returned by the server if the value specified by
466 the client already exists within the attribute.
468 5.2.2.1.6 invalidAttributeSyntax(21)
470 Applicable operations: Modify, Add.
472 This error should be returned by the server if the attribute syntax
473 for the attribute value, specified as an argument of the operation,
474 is unrecognized or invalid.
477 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 8
480 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
482 5.2.2.2 NameProblem Error Codes
484 A name error reports a problem related to the distinguished name
485 provided as an argument to an operation [X511, Section 12.5].
487 For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
488 aliasDereferencingProblem (see Section 5.2.2.3.7), the matchedDN
489 field is set to the name of the lowest entry (object or alias) in the
490 directory that was matched. If no aliases were dereferenced while
491 attempting to locate the entry, this will be a truncated form of the
492 name provided, or if aliases were dereferenced, of the resulting
493 name, as defined in section 12.5 of X.511 [X511]. The matchedDN field
494 is to be set to a zero length string with all other result codes
495 [RFC2251, Section 4.1.10].
497 5.2.2.2.1 noSuchObject(32)
499 Applicable operations: all except for Bind.
501 This error should only be returned if the target object cannot be
502 found. For example, in a search operation if the search base can not
503 be located in the DSA the server should return noSuchObject. If,
504 however, the search base is found but does not match the search
505 filter, success, with no resultant objects, should be returned
506 instead of noSuchObject.
508 If the LDAP server is a front end for an X.500 DSA then noSuchObject
509 may also be returned if discloseOnError is not granted for an entry
510 and the client does not have permission to view or modify the entry.
512 5.2.2.2.2 aliasProblem(33)
514 Applicable operations: Search.
516 An alias has been dereferenced which names no object [X511, Section
519 5.2.2.2.3 invalidDNSyntax(34)
521 Applicable operations: all.
523 This error should be returned by the server if the DN syntax is
524 incorrect. It should not be returned if the DN is correctly formed
525 but represents an entry which is not permitted by the structure rules
526 at the DSA; in this case namingViolation should be returned instead.
528 5.2.2.3 SecurityProblem Error Codes
530 A security error reports a problem in carrying out an operation for
531 security reasons [X511, Section 12.7].
533 5.2.2.3.1 authMethodNotSupported(7)
535 Applicable operations: Bind.
537 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 9
540 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
543 This error code should be returned if the client requests, in a Bind
544 request, an authentication method which is not supported or
545 recognized by the server.
547 5.2.2.3.2 strongAuthRequired(8)
549 Applicable operations: all.
551 This error may be returned on a bind request if the server only
552 accepts strong authentication or it may be returned when a client
553 attempts an operation which requires the client to be strongly
554 authenticated - for example Delete.
556 This result code may also be returned in an unsolicited notice of
557 disconnection if the server detects that an established underlying
558 security association protecting communication between the client and
559 server has unexpectedly failed or been compromised. [RFC2251, Section
562 5.2.2.3.3 confidentialityRequired(13)
564 Applicable operations: all.
566 This error code is new in LDAPv3. This error code may be returned if
567 the session is not protected by a protocol which provides session
568 confidentiality. For example, if the client did not establish a TLS
569 connection using a cipher suite which provides confidentiality of the
570 session before sending any other requests, and the server requires
571 session confidentiality then the server may reject that request with
572 a result code of confidentialityRequired.
574 5.2.2.3.4 aliasDereferencingProblem(36)
576 Applicable operations: Search.
578 An alias was encountered in a situation where it was not allowed or
579 where access was denied [X511, Section 12.5]. For example, if the
580 client does not have read permission for the aliasedObjectName
581 attribute and its value then the error aliasDereferencingProblem
582 should be returned. [X511, Section 7.11.1.1]
584 Notice that this error has similar meaning to
585 insufficientAccessRights(50) (see Section 5.2.2.3.7), but is specific
586 to Searching on an alias.
588 (See note at start of Section 5.2.2.2 regarding this error code.)
590 5.2.2.3.5 inappropriateAuthentication(48)
592 Applicable operations: Bind.
594 This error should be returned by the server when the client has tried
595 to use a method of authentication that is inappropriate, that is a
597 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 10
600 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
602 method of authentication which the client is unable to use correctly.
603 In other words, the level of security associated with the requestorÆs
604 credentials is inconsistent with the level of protection requested,
605 e.g. simple credentials were supplied while strong credentials were
606 required [X511, Section 12.7].
608 5.2.2.3.6 invalidCredentials(49)
610 Applicable operations: Bind.
612 This error code is returned if the DN or password used in a simple
613 bind operation is incorrect, or if the DN or password is incorrect
614 for some other reason, e.g. the password has expired. This result
615 code only applies to Bind operations -- it should not be returned for
616 other operations if the client does not have sufficient permission to
617 perform the requested operation - in this case the return code should
618 be insufficientAccessRights.
620 5.2.2.3.7 insufficientAccessRights(50)
622 Applicable operations: all except for Bind.
624 The requestor does not have the right to carry out the requested
625 operation [X511, Section 12.7]. Note that the more specific
626 aliasDereferencingProblem (see Section 5.2.2.3.4) is returned in case
627 of a Search on an alias where the requestor has
628 insufficientAccessRights.
630 5.2.2.4 ServiceProblem Error Codes
632 A service error reports a problem related to the provision of the
633 service [X511, Section 12.8].
635 5.2.2.4.1 operationsError(1)
637 Applicable operations: all except Bind.
639 If the server requires that the client bind before browsing or
640 modifying the directory, the server MAY reject a request other than
641 binding, unbinding or an extended request with the "operationsError"
642 result. [RFC2251, Section 4.2.1]
644 5.2.2.4.2 protocolError(2)
646 Applicable operations: all.
648 A protocol error should be returned by the server when an invalid or
649 malformed request is received from the client. This may be a request
650 that is not recognized as an LDAP request, for example, if a
651 nonexistent operation were specified in LDAPMessage. As well, it may
652 be the result of a request that is missing a required parameter, such
653 as a search filter in a search request. If the server can return an
654 error, which is more specific than protocolError, then this error
655 should be returned instead. For example if the server does not
657 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 11
660 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
662 recognize the authentication method requested by the client then the
663 error authMethodNotSupported should be returned instead of
664 protocolError. The server may return details of the error in the
667 5.2.2.4.3 timeLimitExceeded(3)
669 Applicable operations: all.
671 This error should be returned when the time to perform an operation
672 has exceeded either the time limit specified by the client (which may
673 only be set by the client in a search operation) or the limit
674 specified by the server. If the time limit is exceeded on a search
675 operation then the result is an arbitrary selection of the
676 accumulated results [X511, Section 7.5]. Note that an arbitrary
677 selection of results may mean that no results are returned to the
680 If the LDAP server is a front end for an X.500 server, any operation
681 that is chained may exceed the timelimit, therefore clients can
682 expect to receive timelimitExceeded for all operations. For stand
683 alone LDAP-Servers that do not implement chaining it is unlikely that
684 operations other than search operations will exceed the defined
687 5.2.2.4.4 sizeLimitExceeded(4)
689 Applicable operations: Search.
691 This error should be returned when the number of results generated by
692 a search exceeds the maximum number of results specified by either
693 the client or the server. If the size limit is exceeded then the
694 results of a search operation will be an arbitrary selection of the
695 accumulated results, equal in number to the size limit [X511, Section
698 5.2.2.4.5 adminLimitExceeded(11)
700 Applicable operations: all.
702 This error code is new in LDAPv3. The server has reached some limit
703 set by an administrative authority, and no partial results are
704 available to return to the user [X511, Section 12.8]. For example,
705 there may be an administrative limit to the number of entries a
706 server will check when gathering potential search result candidates
709 5.2.2.4.6 unavailableCriticalExtension(12)
711 Applicable operations: all.
713 This error code is new in LDAPv3. The server was unable to satisfy
714 the request because one or more critical extensions were not
715 available [X511, Section 12.8]. This error is returned, for example,
717 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 12
720 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
722 when a control submitted with a request is marked critical but is not
723 recognized by a server or when such a control is not appropriate for
724 the operation type. [RFC2251 section 4.1.12].
728 Applicable operations: all.
730 This error code may be returned if the server is unable to process
731 the clientÆs request at this time. This implies that if the client
732 retries the request shortly the server will be able to process it
735 5.2.2.4.8 unavailable(52)
737 Applicable operations: all.
739 This error code is returned when the server is unavailable to process
740 the clientÆs request. This usually means that the LDAP server is
741 shutting down [RFC2251, Section 4.2.3].
743 5.2.2.4.9 unwillingToPerform(53)
745 Applicable operations: all.
747 This error code should be returned by the server when a client
748 request is properly formed but which the server is unable to complete
749 due to server-defined restrictions. For example, the server, or some
750 part of it, is not prepared to execute this request, e.g. because it
751 would lead to excessive consumption of resources or violates the
752 policy of an Administrative Authority involved [X511, Section 12.8].
753 If the server is able to return a more specific error code such as
754 adminLimitExceeded it should. This error may also be returned if the
755 client attempts to modify attributes which can not be modified by
756 users, e.g., operational attributes such as creatorsName or
757 createTimestamp [X511, Section 7.12]. If appropriate, details of the
758 error should be provided in the error message.
760 5.2.2.4.10 loopDetect(54)
762 Applicable operations: all.
764 This error may be returned by the server if it detects an alias or
765 referral loop, and is unable to satisfy the clientÆs request.
767 5.2.2.5 UpdateProblem Error Codes
769 An update error reports problems related to attempts to add, delete,
770 or modify information in the DIB [X511, Section 12.9].
772 5.2.2.5.1 namingViolation(64)
774 Applicable operations: Add, ModifyDN.
777 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 13
780 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
782 The attempted addition or modification would violate the structure
783 rules of the DIT as defined in the directory schema and X.501. That
784 is, it would place an entry as the subordinate of an alias entry, or
785 in a region of the DIT not permitted to a member of its object class,
786 or would define an RDN for an entry to include a forbidden attribute
787 type [X511, Section 12.9].
789 5.2.2.5.2 objectClassViolation(65)
791 Applicable operations: Modify, Add, ModifyDN.
793 This error should be returned if the operation requested by the user
794 would violate the objectClass requirements for the entry if carried
795 out. On an add or modify operation this would result from trying to
796 add an object class without a required attribute, or by trying to add
797 an attribute which is not permitted by the current object class set
798 in the entry. On a modify operation this may result from trying to
799 remove a required attribute without removing the associated auxiliary
800 object class, or by attempting to remove an object class while the
801 attributes it permits are still present.
803 5.2.2.5.3 notAllowedOnNonLeaf(66)
805 Applicable operations: Delete, ModifyDN.
807 This operation should be returned if the client attempts to perform
808 an operation which is permitted only on leaf entries - e.g., if the
809 client attempts to delete a non-leaf entry. If the directory does
810 not permit ModifyDN for non-leaf entries then this error may be
811 returned if the client attempts to change the DN of a non-leaf entry.
812 (Note that 1988 edition X.500 servers only permitted change of the
813 RDN of an entry's DN [X.511, Section 11.4.1]).
815 5.2.2.5.4 notAllowedOnRDN(67)
817 Applicable operations: Modify.
819 The attempted operation would affect the RDN (e.g., removal of an
820 attribute which is a part of the RDN) [X511, Section 12.9]. If the
821 client attempts to remove from an entry any of its distinguished
822 values, those values which form the entry's relative distinguished
823 name the server should return the error notAllowedOnRDN. [RFC2251,
826 5.2.2.5.5 entryAlreadyExists(68)
828 Applicable operations: Add, ModifyDN.
830 This error should be returned by the server when the client attempts
831 to add an entry which already exists, or if the client attempts to
832 rename an entry with the name of an entry which exists.
834 5.2.2.5.6 objectClassModsProhibited(69)
837 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 14
840 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
842 Applicable operations: Modify.
844 An operation attempted to modify an object class that should not be
845 modified, e.g., the structural object class of an entry. Some
846 servers may not permit object class modifications, especially
847 modifications to the structural object class since this may change
848 the entry entirely, name forms, structure rules etc. [X.511, Section
851 5.2.2.5.7 affectsMultipleDSAs(71)
853 Applicable operations: ModifyDN.
855 This error code is new for LDAPv3. This error code should be returned
856 to indicate that the operation could not be performed since it
857 affects more than one DSA.
859 X.500 restricts the ModifyDN operation to only affect entries that
860 are contained within a single server. If the LDAP server is mapped
861 onto DAP, then this restriction will apply, and the resultCode
862 affectsMultipleDSAs will be returned if this error occurred. In
863 general clients MUST NOT expect to be able to perform arbitrary
864 movements of entries and subtrees between servers [RFC2251, Section
869 LDAP v3 [RFC2251] defines the following LDAPMessage for conveyance of
870 the intended operation request from the client to the server.
872 LDAPMessage ::= SEQUENCE {
875 bindRequest BindRequest,
876 bindResponse BindResponse,
877 unbindRequest UnbindRequest,
878 searchRequest SearchRequest,
879 searchResEntry SearchResultEntry,
880 searchResDone SearchResultDone,
881 searchResRef SearchResultReference,
882 modifyRequest ModifyRequest,
883 modifyResponse ModifyResponse,
884 addRequest AddRequest,
885 addResponse AddResponse,
886 delRequest DelRequest,
887 delResponse DelResponse,
888 modDNRequest ModifyDNRequest,
889 modDNResponse ModifyDNResponse,
890 compareRequest CompareRequest,
891 compareResponse CompareResponse,
892 abandonRequest AbandonRequest,
893 extendedReq ExtendedRequest,
894 extendedResp ExtendedResponse },
895 controls [0] Controls OPTIONAL }
897 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 15
900 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
903 MessageID ::= INTEGER (0 .. maxInt)
905 maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) -
907 Starting in Section 6.2, behaviour regarding the return of each
908 result code is specified for each operation. Section 6.1 indicates
909 those result codes that are typically applicable to all operations.
911 6.1 Common Result Codes
913 The following result codes are applicable to, and may be returned in
914 response to all operations (except where stated otherwise).
916 6.1.1 Non-erroneous results
918 For all but a Compare operation, a success(0) result code will be
919 returned in the case that the requested operation succeeds; a
920 compareTrue would be returned for a Compare operation. For each
921 operation, the server may return referral(10), as defined in Section
924 6.1.2 Security Errors
926 Of the six possible security errors, two may be returned in response
927 to every operation. These two errors are strongAuthRequired(8) and
928 confidentialityRequired(13).
932 All service errors, except operationsError(1), and
933 sizeLimitExceeded(4) may be returned in response to any LDAP v3
934 operation. operationsError(1) is applicable to all operations except
935 Bind. sizeLimitExceeded is only applicable to the Search operation.
939 The general error other(80)is applicable to all operations.
941 6.2 Bind Operation Errors
943 If the bind operation succeeds then a result code of success will be
944 returned to the client. If the server does not hold the target entry
945 of the request, a referral(10) may be returned. If the operation
946 fails then the result code will be one of the following from the set
947 of non-erroneous result, name errors, security errors, service
948 errors, and general errors.
950 If the server does not support the client's requested protocol
951 version, it MUST set the resultCode to protocolError.
952 If the client receives a BindResponse response where the resultCode
953 was protocolError, it MUST close the connection as the server will be
954 unwilling to accept further operations. (This is for compatibility
957 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 16
960 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
962 with earlier versions of LDAP, in which the bind was always the first
963 operation, and there was no negotiation.) [RFC2251, Section 5.2.3]
965 The remaining errors listed in this section are operation-specific.
966 An operation may also result in the return of any of the common
967 errors, as listed in Section 6.1.
969 6.2.1 Non-erroneous results
971 In addition to success or referral, the following non-erroneous
972 result code may be returned:
974 saslBindInProgress: the server requires the client to send a new bind
975 request, with the same sasl mechanism, to continue the authentication
980 invalidDNSyntax: the DN provided does not have the correct syntax,
982 6.2.3 Security Errors
984 As stated in Section 6.1.2, strongAuthRequired(8) and
985 confidentialityRequired(13) may be returned for any operation.
987 authMethodNotSupported: unrecognized SASL mechanism name,
989 inappropriateAuthentication: the server requires the client which had
990 attempted to bind anonymously or without supplying credentials to
991 provide some form of credentials,
993 invalidCredentials: the wrong password was supplied or the SASL
994 credentials could not be processed, [RFC2251, Section 4.2.3]
996 6.3 Search Operation Errors
998 X.500 provides three separate operations for searching the directory
999 - Read of a single entry, List of an entryÆs children and search of
1000 an entire sub-tree. LDAP provides a single search operation, however
1001 the X.500 operations can be simulated by using base, one-level and
1002 sub-tree scope restrictions respectively.
1004 If the Search operation succeeds then zero or more search entries
1005 will be returned followed by a search result of success. If the
1006 server does not hold the target entry of the request, a referral(10)
1007 may be returned. If the search operation fails then zero or more
1008 search entries will be returned followed by a search result
1009 containing one of the following result codes from the set of name
1010 errors, attribute errors, security errors, service errors, and
1013 The remaining errors listed in this section are operation-specific.
1014 An operation may also result in the return of any of the common
1015 errors, as listed in Section 6.1.
1017 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 17
1020 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1025 noSuchObject: the base object, for the search, does not exist.
1027 aliasProblem: an alias was dereferenced which named no object.
1029 invalidDNSyntax: the DN provided for the search base does not have
1032 6.3.2 Attribute Errors
1034 inappropriateMatching: an attempt was made to use a matching rule not
1035 defined for an attribute in the search filter.
1037 6.3.3 Security Errors
1039 As stated in Section 6.1.2, strongAuthRequired(8) and
1040 confidentialityRequired(13) may be returned for any operation.
1042 aliasDereferenceProblem: The client does not have permission for the
1043 aliasedObjectName attribute or to search the dereferenced alias
1046 insufficientAccessRights: The requestor does not have sufficient
1047 permissions to perform the search. aliasDereferenceProblem should be
1048 returned in this case, if applicable.
1050 6.3.4 Service Errors
1052 In addition to the common service errors indicated in Section 6.1.3,
1053 the following service error may also be returned:
1055 sizeLimitExceeded: the number of search results exceeds the size
1056 limit specified by the client or the server. If the server has
1057 defined a maximum PDU size, this error may also be returned if the
1058 size of the combined results exceeds this limit.
1060 6.4 Modify Operation Errors
1062 The Modify operation cannot be used to remove from an entry any of
1063 its distinguished values, those values that form the entry's relative
1064 distinguished name. An attempt to do so will result in the server
1065 returning the error notAllowedOnRDN. The Modify DN Operation
1066 described in section 5.9 is used to rename an entry. [RFC2251,
1069 If the modify operation succeeds, a result code of success will be
1070 returned to the client. If the server does not hold the target entry
1071 of the request, a referral(10) may be returned. If the operation
1072 fails, the result code will be one of the following from the set of
1073 name errors, update errors, attribute errors, security errors,
1074 service errors, and general errors.
1077 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 18
1080 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1082 The remaining errors listed in this section, are operation-specific.
1083 An operation may also result in the return of any of the common
1084 errors, as listed in Section 6.1.
1088 noSuchObject: the target object does not exist.
1090 invalidDNSyntax: the DN provided does not have the correct syntax,
1094 objectClassViolation: An attempt was made to modify an object which
1095 is illegal according to its object class definition in the schema or
1096 DIT content rules for that object class.
1098 notAllowedOnRDN: An attempt was made to modify the object entryÆs
1101 objectClassModsProhibited: The modification attempted to change an
1102 entryÆs object class which is not allowed.
1104 6.4.3 Attribute Errors
1106 noSuchAttribute: the attribute to be modified does not exist in the
1109 undefinedAttributeType: The attribute specified does not exist in the
1110 server's defined schema.
1112 constraintViolation: The modification would create an attribute value
1113 outside the normal bounds.
1115 attributeOrValueExists: The modification would create a value which
1116 already exists within the attribute.
1118 invalidAttributeSyntax: The value specified doesnÆt adhere to the
1119 syntax definition for that attribute.
1121 6.4.4 Security Errors
1123 As stated in Section 6.1.2, strongAuthRequired(8) and
1124 confidentialityRequired(13) may be returned for any operation.
1126 insufficientAccessRights: The requestor does not have sufficient
1127 permissions to modify the entry.
1129 6.5 Add Operation Errors
1131 The superior of the entry must exist for the operation to succeed. If
1132 not, a noSuchObject error is returned and the matchedDN field will
1133 contain the name of the lowest entry in the directory that was
1137 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 19
1140 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1142 If the add operation succeeds, a result code of success will be
1143 returned to the client. If the server does not hold the target entry
1144 of the request, a referral(10) may be returned. If the operation
1145 fails, the result code will be one of the following from the set of
1146 name errors, update errors, attribute errors, security errors,
1147 service errors, and general errors.
1149 The remaining errors listed in this section, are operation-specific.
1150 An operation may also result in the return of any of the common
1151 errors, as listed in Section 6.1.
1155 noSuchObject: One or more superiors to the target entry do not exist.
1157 invalidDNSyntax: the DN provided does not have the correct syntax,
1161 namingViolation: Either the target entry cannot be created under the
1162 specified superior due to DIT structure rules, or the target entry is
1163 named by an RDN not permitted by the DIT name form rule for its
1166 objectClassViolation: An attempt was made to add an entry and one of
1167 the following conditions existed: A required attribute was not
1168 specified; an attribute was specified which is not permitted by the
1169 current object class set in the entry; a structural object class
1170 value was not specified; an object class value was specified that
1171 doesnÆt exist in the schema.
1173 entryAlreadyExists: The target entry already exists.
1175 6.5.3 Attribute Errors
1177 undefinedAttributeType: The attribute specified does not exist in the
1178 server's defined schema.
1180 constraintViolation: The attribute value falls outside the bounds
1181 specified by the attribute syntax.
1183 attributeOrValueExists: A duplicate attribute value appears in the
1184 list of attributes for the entry.
1186 invalidAttributeSyntax: The value specified doesnÆt adhere to the
1187 syntax definition for that attribute.
1189 6.5.4 Security Errors
1191 As stated in Section 6.1.2, strongAuthRequired(8) and
1192 confidentialityRequired(13) may be returned for any operation.
1197 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 20
1200 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1202 insufficientAccessRights: The requestor does not have sufficient
1203 permissions to either add the entry or to add one or more of the
1204 attributes specified.
1206 6.6 Delete Operation Errors
1208 If the delete operation succeeds, a result code of success will be
1209 returned to the client. If the server does not hold the target entry
1210 of the request, a referral(10) may be returned. If the operation
1211 fails, the result code will be one of the following from the set of
1212 name errors, update errors, security errors, service errors, and
1215 The remaining errors listed in this section, are operation-specific.
1216 An operation may also result in the return of any of the common
1217 errors, as listed in Section 6.1.
1221 noSuchObject: The target entry does not exist.
1223 invalidDNSyntax: the DN provided does not have the correct syntax,
1227 notAllowedOnNonLeaf: The target entry is not a leaf object. Only
1228 objects having no subordinate objects in the tree may be deleted.
1230 6.6.3 Security Errors
1232 As stated in Section 6.1.2, strongAuthRequired(8) and
1233 confidentialityRequired(13) may be returned for any operation.
1235 insufficientAccessRights: The requestor does not have sufficient
1236 permissions to delete the entry.
1238 6.7 ModifyDN Operation Errors
1240 Note that X.500 restricts the ModifyDN operation to only affect
1241 entries that are contained within a single server. If the LDAP server
1242 is mapped onto DAP, then this restriction will apply, and the
1243 resultCode affectsMultipleDSAs will be returned if this error
1244 occurred. In general clients MUST NOT expect to be able to perform
1245 arbitrary movements of entries and subtrees between servers.
1246 [RFC2251, Section 4.9]
1248 If the Modify DN operation succeeds then a result code of success
1249 will be returned to the client. If the server does not hold the
1250 target entry of the request, a referral(10) may be returned. If the
1251 operation fails then the result code will be one of the following
1252 from the set of name errors, update errors, attribute errors,
1253 security errors, service errors, and general errors.
1257 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 21
1260 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1262 The remaining errors listed in this section, are operation-specific.
1263 An operation may also result in the return of any of the common
1264 errors, as listed in Section 6.1.
1268 noSuchObject: the target object does not exist or a new superior
1269 object was specified that does not exist.
1271 invalidDNSyntax: the DN provided does not have the correct syntax.
1275 namingViolation: Either the target entry cannot be moved to the
1276 specified superior due to DIT structure rules, or the target entry is
1277 named by an RDN not permitted by the DIT name form rule for its
1280 objectClassViolation: The client has specified that the old RDN
1281 values should be removed from the entry (using the 'deleteOldRdn'
1282 parameter) but the removal of these values would violate the entry's
1283 schema. [RFC 2251 Section 4.9]
1285 notAllowedOnNonLeaf: If the server does not permit the ModifyDN
1286 operation on non-leaf entries this error will be returned if the
1287 client attempts to rename a non-leaf entry
1289 entryAlreadyExists: The target entry already exists.
1291 AffectsMultipleDSAs: X.500 restricts the ModifyDN operation to only
1292 affect entries that are contained within a single server. If the LDAP
1293 server is mapped onto DAP, then this restriction will apply, and the
1294 resultCode affectsMultipleDSAs will be returned if this error
1295 occurred. In general clients MUST NOT expect to be able to perform
1296 arbitrary movements of entries and sub-trees between servers.
1297 [RFC2251, Section 4.9]
1299 6.7.3 Attribute Errors
1301 constraintViolation: The operation would create an attribute value
1302 outside the normal bounds.
1304 6.7.4 Security Errors
1306 As stated in Section 6.1.2, strongAuthRequired(8) and
1307 confidentialityRequired(13) may be returned for any operation.
1309 insufficientAccessRights: The requestor does not have sufficient
1310 permissions to either add the entry or to add one or more of the
1311 attributes specified.
1313 6.8 Compare Operation Errors
1317 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 22
1320 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1322 If there exists a value within the attribute being compared that
1323 matches the purported argument and for which compare permissions is
1324 granted, the operation returns the value compareTrue in the result,
1325 otherwise, the operation returns compareFalse. [X511, Section 9.2.4]
1326 If the server does not hold the target entry of the request, a
1327 referral(10) may be returned.
1329 If the compare operation can not be completed, then the server may
1330 return one of the following results from the set of name errors,
1331 attribute errors, security errors, service errors, and general
1334 The remaining errors listed in this section are operation-specific.
1335 An operation may also result in the return of any of the common
1336 errors, as listed in Section 6.1.
1340 noSuchObject: the entry to be compared does not exist in the
1343 invalidDNSyntax: the DN provided for the entry to be compared does
1344 not have the correct syntax.
1346 6.8.2 Attribute Errors
1348 noSuchAttribute: the attribute to be compared does not exist in the
1351 invalidAttributeSyntax: The value specified doesnÆt adhere to the
1352 syntax definition for that attribute.
1354 6.8.3 Security Errors
1356 As stated in Section 6.1.2, strongAuthRequired(8) and
1357 confidentialityRequired(13) may be returned for any operation.
1359 insufficientAccessRights: If the client does not have read permission
1360 for the entry to be compared, or for the attribute then
1361 insufficientAccessRights should be returned, [X511, Section 9.2.4]
1365 The following example is included to demonstrate the expected
1366 responses for the compare operation.
1367 Given the following entry:
1377 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 23
1380 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1382 i) Compare with userPassword=xyz results in a compareTrue because the
1383 requested value exists in the entry.
1385 ii) Compare with userPassword=abc results in a compareFalse because
1386 the entry contains a userPassword attribute but the value abc is not
1389 iii) Compare with telephoneNumber=123-456-7890 results in a
1390 noSuchAttribute. The attribute telephoneNumber is permissible in the
1391 entry based on the schema defined in the server but because it is
1392 empty it does not exist in the target entry.
1394 iv) Compare with ou=myOrg results in noSuchAttribute. The requested
1395 attribute is a recognized attribute but it is neither present nor is
1396 it valid for the target entry.
1398 v) Compare with bogusAttr=abc results in noSuchAttribute. The
1399 requested attribute is not a recognized attribute nor is it present
1400 in the target entry.
1402 Note that the response for scenarios 3 through 5 is always
1403 noSuchAttribute. The semantics of the compare operation is simply
1404 "does the target entry contain the specified value?" and so no
1405 distinction is made between a request for an unknown, invalid, or,
1406 valid but empty attribute. In all cases if the attribute is not
1407 present in the entry then the result is noSuchAttribute.
1409 6.9 Extended Operation Errors
1411 The results returned for an extended operation vary, depending on the
1412 particular operation. In any case, extended Operations MAY return any
1413 result code (excepting 81-90).
1415 If the server does not recognize the request name, it MUST return
1416 only the response fields from LDAPResult, containing the
1417 protocolError result code [RFC2251, Section 4.12]
1419 6.10 Operations with no Server Response
1421 The LDAP v3 protocol has two client operations for which no server
1422 response is returned. Specifically, these are unbindRequest, and
1423 abandonRequest. Since no response is returned, there is no need to
1424 consider possible result codes for these operations.
1426 6.11 Unsolicited Notification
1428 In some situations, a server may issue a "response" to a client for
1429 which there was no client request. This notification "is used to
1430 signal an extraordinary condition in the server or in the connection
1431 between the client and the server. The notification is of an
1432 advisory nature, and the server will not expect any response to be
1433 returned from the client." [RFC2251, Section 4.4]
1437 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 24
1440 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1442 RFC 2251 [RFC2251] describes a notice of disconnection in which a
1443 protocolError, strongAuthRequired, or unavailable result code may be
1444 returned. The reader is directed there for further information.
1448 Section 4.1.12 of [RFC2251] specifies the syntax for controls that
1449 may be sent as part of a request. [RFC2251] defines no specific
1450 controls. It should be noted that the semantics of a control may
1451 alter the result code that might otherwise have been returned for the
1452 requested operation (see Section 5.2.2.4.6 for example).
1454 7. Security Considerations
1456 This draft is meant to complement and enhance the coverage of result
1457 codes for LDAP v3, as described in RFC 2251 [RFC2251]. Section 7 of
1458 RFC 2251 [RFC2251] lists a number of security considerations specific
1461 Note that in X.500 if the discloseOnError permission is not granted
1462 then many operations will return noSuchObject instead of a more
1463 specific error. As there is currently no equivalent for this
1464 permission in LDAP, LDAP-only servers should return the appropriate
1465 error code in the event of an error.
1469 [RFC2026] S. Bradner, "The Internet Standards Process - Revision
1470 3", RFC 2026, October 1996.
1472 [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
1473 Requirement Levels", RFC 2119, March 1997.
1475 [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory
1476 Access Protocol", RFC 2251, December 1997.
1478 [X511] ITU-T Recommendation X.511, "The Directory: Abstract
1479 Service Definition", 1993.
1481 [TLS] J. Hodges, R.L. Morgan, M. Wahl, "Lightweight Directory
1482 Access Protocol (v3): Extension for Transport Layer
1483 Security", June 1999. <draft-ietf-ldapext-ldapv3-tls-
1484 05.txt> "work in progress"
1486 [Net] Netscape Directory SDK 3.0 for C ProgrammerÆs Guide,
1487 Chapter 19: Result Codes. Available at Error! Bookmark
1493 The production of this document relied heavily on the information
1494 available from RFC 2251 [RFC2251] and ITU-T Recommendation X.511
1497 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 25
1500 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1503 10. Author's Addresses
1506 Entrust Technologies
1507 750 Heron Rd, Tower E
1508 Ottawa, Ontario, Canada
1509 mike.just@entrust.com
1512 Entrust Technologies
1513 750 Heron Rd, Tower E
1514 Ottawa, Ontario, Canada
1515 kristianne.leclair@entrust.com
1520 Provo, Utah 84606, USA
1521 Error! Bookmark not defined.
1526 Mountain View, CA 94043
1527 Error! Bookmark not defined.
1557 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 26
1560 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1563 11 Appendix A: Operation/Response Matrix
1566 Result Codes Operations
1576 Non-erroneous results
1578 success (0) X X X X X X
1584 referral (10) X X X X X X X
1586 saslBindInProgress (14) X
1590 noSuchObject (32) X X X X X X
1594 invalidDNSyntax (34) X X X X X X X
1598 namingViolation (64) X X
1600 objectClassViolation (65) X X X
1602 notAllowedOnNonLeaf (66) X X
1604 notAllowedonRDN (67) X
1606 entryAlreadyExists (68) X X
1608 objectClassModesProhibite X
1611 affectsMultipleDSAs (71) X
1615 noSuchAttribute(16) X X
1617 undefinedAttributeType X X
1620 inappropriateMatching X
1623 constraintViolation (19) X X X
1625 attributeOrValueExists X X
1628 invalidAttributeSyntax X X
1633 authMethodNotSupported X
1636 strongAuthRequired (8) X X X X X X X
1638 confidentialityRequred(13 X X X X X X X
1641 aliasDereferencingProblem X
1644 inappropriateAuthenticati X
1649 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 27
1652 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1655 invalidCredentials (49) X
1657 insufficientAccessRights X X X X X X
1662 operationsError (1) X X X X X X
1664 protocolError (2) X X X X X X X
1666 timeLimitExceeded (3) X X X X X X X
1668 sizeLimitExceeded (4) X
1670 adminLimitExceeded (11) X X X X X X X
1672 unavailableCriticialExten X X X X X X X
1675 busy (51) X X X X X X X
1677 unavailable (52) X X X X X X X
1679 unwillingToPerform (53) X X X X X X X
1681 loopDetect (54) X X X X X X X
1685 other (80) X X X X X X X
1724 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 28
1727 LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
1730 12 Full Copyright Statement
1732 Copyright (C) The Internet Society (Oct 1999). All Rights Reserved.
1733 This document and translations of it may be copied and furnished to
1734 others, and derivative works that comment on or otherwise explain it
1735 or assist in its implementation may be prepared, copied, published
1736 and distributed, in whole or in part, without restriction of any
1737 kind, provided that the above copyright notice and this paragraph are
1738 included on all such copies and derivative works. However, this
1739 document itself may not be modified in any way, such as by removing
1740 the copyright notice or references to the Internet Society or other
1741 Internet organizations, except as needed for the purpose of
1742 developing Internet standards in which case the procedures for
1743 copyrights defined in the Internet Standards process must be
1744 followed, or as required to translate it into languages other than
1747 The limited permissions granted above are perpetual and will not be
1748 revoked by the Internet Society or its successors or assigns.
1750 This document and the information contained herein is provided on an
1751 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
1752 ENGINEERINGTASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
1753 INCLUDINGBUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1754 INFORMATIONHEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1755 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1784 Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 29