--- /dev/null
+
+Internet Draft Mike Just, Entrust
+ K. Leclair, Entrust
+ Jim Sermersheim, Novell
+ Mark Smith, Netscape
+Document: <draft-just-ldapv3-rescodes-02.txt> April, 2000
+Category: Standards Track
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use
+ <draft-just-ldapv3-rescodes-02.txt>
+
+
+Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026 [RFC2026].
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that other
+ groups may also distribute working documents as Internet-Drafts.
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet- Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+1. Abstract
+
+ The purpose of this document is to describe, in some detail, the
+ meaning and use of the result codes used with the LDAPv3 protocol.
+ Of particular importance are the error codes, which represent the
+ majority of the result codes. This document provides definitions for
+ each result code, and outlines the expected behaviour of the various
+ operations with respect to how result codes and in particular, error
+ conditions should be handled and which specific error code should be
+ returned.
+
+ It is hoped that this document will facilitate interoperability
+ between clients and servers and the development of intelligent LDAP
+ clients capable of acting upon the results received from the server.
+
+1.1 Relationship to X.500
+
+ The LDAPv3 RFC [RFC2251] states that "An LDAP server MUST act in
+ accordance with the X.500(1993) series of ITU recommendations when
+ providing the service. However, it is not required that an LDAP
+ server make use of any X.500 protocols in providing this service,
+ e.g. LDAP can be mapped onto any other directory system so long as
+ the X.500 data and service model as used in LDAP is not violated in
+ the LDAP interface." This means that there are two types of LDAP
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 1
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ servers, those that act as a front end to an X.500 directory, and
+ stand alone LDAP servers which use some other form of repository as
+ the back end.
+
+ Because of differences between X.500 and LDAP there may be some
+ differences in behaviour between LDAP-only servers and LDAP servers
+ that act as front ends to X.500 DSAs. One such difference is the
+ definition of specific access controls for X.500. X.500 defines the
+ discloseOnError permission, an access control parameter for which
+ there is currently no equivalent defined for LDAP. If an LDAP server
+ is acting as a front end to an X.500 DSA then it may return
+ noSuchObject when the target entry is found but the client does not
+ have permission to view or modify the entry. Unless the server
+ implements X.500 style access controls LDAP-only servers should only
+ return noSuchObject when the target entry is not found until such
+ time that similar access controls are defined for LDAP only servers.
+ Because the client may not know what sort of LDAP server it is
+ communicating with it should not rely on the behaviour of the server
+ in this respect.
+
+2. Conventions used in this document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC-2119 [RFC2119].
+
+3. Overview
+
+ This document collects and refines the definitions and descriptions
+ for LDAPv3 result codes, as found in a variety of sources (see
+ Section 8). In some cases, material from these sources was absent,
+ inadequate or ambiguous. It is the hope of this document to present
+ consistent definitions and descriptions of LDAPv3 result codes.
+
+ This document consists of two major sections facilitating information
+ searches based on either a particular result code, or LDAP operation.
+
+ Section 5 presents a glossary for the result codes. Firstly, each is
+ classified as either an erroneous or non-erroneous result. The
+ erroneous results, or error codes, are further classified based on
+ the types of error codes defined in X.511 [X511]. Some
+ reclassification was performed where appropriate. For each result
+ code, a definition, and list of operations that could return this
+ code are given.
+
+ Section 6 describes, for each operation, the result codes that could
+ be returned for that operation. Firstly, Section 6.1 enumerates
+ those result codes that are applicable to all operations. Within
+ each remaining section (which is specific to each operation), the
+ error codes that are specific to that operation (in addition to the
+ result codes specified in Section 6.1) are presented.
+
+ Also, Appendix A (Section 11) presents a simple matrix that indicates
+ valid operation/result code pairs in LDAPv3.
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 2
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+4. Table of Contents
+
+ 1. Abstract........................................................1
+ 1.1 Relationship to X.500...........................................1
+ 2. Conventions used in this document...............................2
+ 3. Overview........................................................2
+ 4. Table of Contents...............................................3
+ 5. Result Codes in LDAPv3..........................................4
+ 5.1 Description of Non-Erroneous Result Codes.......................6
+ 5.1.1 success(0)...................................................6
+ 5.1.2 compareFalse(5)..............................................6
+ 5.1.3 compareTrue(6)...............................................6
+ 5.1.4 referral(10).................................................7
+ 5.1.5 saslBindInProgress(14).......................................7
+ 5.2 Description of Error Codes......................................7
+ 5.2.1 General Error Codes..........................................7
+ 5.2.1.1 other(80)................................................7
+ 5.2.2 Specific Error Codes.........................................7
+ 5.2.2.1 Attribute Problem Error Codes............................7
+ 5.2.2.1.1 noSuchAttribute(16)...................................8
+ 5.2.2.1.2 undefinedAttributeType(17)............................8
+ 5.2.2.1.3 inappropriateMatching(18).............................8
+ 5.2.2.1.4 constraintViolation(19)...............................8
+ 5.2.2.1.5 attributeOrValueExists(20)............................8
+ 5.2.2.1.6 invalidAttributeSyntax(21)............................8
+ 5.2.2.2 NameProblem Error Codes..................................9
+ 5.2.2.2.1 noSuchObject(32)......................................9
+ 5.2.2.2.2 aliasProblem(33)......................................9
+ 5.2.2.2.3 invalidDNSyntax(34)...................................9
+ 5.2.2.3 SecurityProblem Error Codes..............................9
+ 5.2.2.3.1 authMethodNotSupported(7).............................9
+ 5.2.2.3.2 strongAuthRequired(8)................................10
+ 5.2.2.3.3 confidentialityRequired(13)..........................10
+ 5.2.2.3.4 aliasDereferencingProblem(36)........................10
+ 5.2.2.3.5 inappropriateAuthentication(48)......................10
+ 5.2.2.3.6 invalidCredentials(49)...............................11
+ 5.2.2.3.7 insufficientAccessRights(50).........................11
+ 5.2.2.4 ServiceProblem Error Codes..............................11
+ 5.2.2.4.1 operationsError(1)...................................11
+ 5.2.2.4.2 protocolError(2).....................................11
+ 5.2.2.4.3 timeLimitExceeded(3).................................12
+ 5.2.2.4.4 sizeLimitExceeded(4).................................12
+ 5.2.2.4.5 adminLimitExceeded(11)...............................12
+ 5.2.2.4.6 unavailableCriticalExtension(12).....................12
+ 5.2.2.4.7 busy(51).............................................13
+ 5.2.2.4.8 unavailable(52)......................................13
+ 5.2.2.4.9 unwillingToPerform(53)...............................13
+ 5.2.2.4.10 loopDetect(54)......................................13
+ 5.2.2.5 UpdateProblem Error Codes...............................13
+ 5.2.2.5.1 namingViolation(64)..................................13
+ 5.2.2.5.2 objectClassViolation(65).............................14
+ 5.2.2.5.3 notAllowedOnNonLeaf(66)..............................14
+ 5.2.2.5.4 notAllowedOnRDN(67)..................................14
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 3
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ 5.2.2.5.5 entryAlreadyExists(68)...............................14
+ 5.2.2.5.6 objectClassModsProhibited(69)........................14
+ 5.2.2.5.7 affectsMultipleDSAs(71)..............................15
+ 6 LDAP Operations.................................................15
+ 6.1 Common Result Codes............................................16
+ 6.1.1 Non-erroneous results.......................................16
+ 6.1.2 Security Errors.............................................16
+ 6.1.3 Service Errors..............................................16
+ 6.1.4 General Errors..............................................16
+ 6.2 Bind Operation Errors..........................................16
+ 6.2.1 Non-erroneous results.......................................17
+ 6.2.2 Name Errors.................................................17
+ 6.2.3 Security Errors.............................................17
+ 6.3 Search Operation Errors........................................17
+ 6.3.1 Name Errors.................................................18
+ 6.3.2 Attribute Errors............................................18
+ 6.3.3 Security Errors.............................................18
+ 6.3.4 Service Errors..............................................18
+ 6.4 Modify Operation Errors........................................18
+ 6.4.1 Name Errors.................................................19
+ 6.4.2 Update Errors...............................................19
+ 6.4.3 Attribute Errors............................................19
+ 6.4.4 Security Errors.............................................19
+ 6.5 Add Operation Errors...........................................19
+ 6.5.1 Name Errors.................................................20
+ 6.5.2 Update Errors...............................................20
+ 6.5.3 Attribute Errors............................................20
+ 6.5.4 Security Errors.............................................20
+ 6.6 Delete Operation Errors........................................21
+ 6.6.1 Name Errors.................................................21
+ 6.6.2 Update Errors...............................................21
+ 6.6.3 Security Errors.............................................21
+ 6.7 ModifyDN Operation Errors......................................21
+ 6.7.1 Name Errors.................................................22
+ 6.7.2 Update Errors...............................................22
+ 6.7.3 Attribute Errors............................................22
+ 6.7.4 Security Errors.............................................22
+ 6.8 Compare Operation Errors.......................................22
+ 6.8.1 Name Errors.................................................23
+ 6.8.2 Attribute Errors............................................23
+ 6.8.3 Security Errors.............................................23
+ 6.8.4 Example.....................................................23
+ 6.9 Extended Operation Errors......................................24
+ 6.10 Operations with no Server Response............................24
+ 6.11 Unsolicited Notification......................................24
+ 6.12 Controls......................................................25
+ 7. Security Considerations........................................25
+ 8. References.....................................................25
+ 9. Acknowledgments................................................25
+ 10. Author's Addresses............................................26
+ 11 Appendix A: Operation/Response Matrix..........................27
+ 12 Full Copyright Statement.......................................29
+
+5. Result Codes in LDAPv3
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 4
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+ In this section, a glossary of the result codes that may be returned
+ from a server to a client is provided. This section is meant to
+ provide a central, unified source for these definitions. RFC 2251
+ [RFC2251] and X.511 [X511] were primary sources, forming the basis
+ for the definitions given in this section.
+
+ LDAP v3 [RFC2251] defines the following result message for return
+ from the server to the client, where "new" indicates those codes that
+ were not used in LDAP v2.
+
+ LDAPResult ::= SEQUENCE {
+ resultCode ENUMERATED {
+ success (0),
+ operationsError (1),
+ protocolError (2),
+ timeLimitExceeded (3),
+ sizeLimitExceeded (4),
+ compareFalse (5),
+ compareTrue (6),
+ authMethodNotSupported (7),
+ strongAuthRequired (8),
+ -- 9 reserved --
+ referral (10), -- new
+ adminLimitExceeded (11), -- new
+ unavailableCriticalExtension (12), -- new
+ confidentialityRequired (13), -- new
+ saslBindInProgress (14), -- new
+ noSuchAttribute (16),
+ undefinedAttributeType (17),
+ inappropriateMatching (18),
+ constraintViolation (19),
+ attributeOrValueExists (20),
+ invalidAttributeSyntax (21),
+ -- 22-31 unused --
+ noSuchObject (32),
+ aliasProblem (33),
+ invalidDNSyntax (34),
+ -- 35 reserved for undefined isLeaf --
+ aliasDereferencingProblem (36),
+ -- 37-47 unused --
+ inappropriateAuthentication (48),
+ invalidCredentials (49),
+ insufficientAccessRights (50),
+ busy (51),
+ unavailable (52),
+ unwillingToPerform (53),
+ loopDetect (54),
+ -- 55-63 unused --
+ namingViolation (64),
+ objectClassViolation (65),
+ notAllowedOnNonLeaf (66),
+ notAllowedOnRDN (67),
+ entryAlreadyExists (68),
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 5
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ objectClassModsProhibited (69),
+ -- 70 reserved for CLDAP --
+ affectsMultipleDSAs (71), -- new
+ -- 72-79 unused --
+ other (80) },
+ -- 81-90 reserved for APIs --
+ matchedDN LDAPDN,
+ errorMessage LDAPString,
+ referral [3] Referral OPTIONAL }
+
+ If a client receives a result code that is not listed above, it is to
+ be treated as an unknown error condition. A server MUST NOT return an
+ API result code (81-90).
+
+ The LDAP result includes an errorMessage field, which may, at the
+ server's option, be used to return a string containing a textual,
+ human-readable error diagnostic. As this error diagnostic is not
+ standardized, implementations MUST NOT rely on the values returned.
+ If the server chooses not to return a textual diagnostic, the
+ errorMessage field of the LDAPResult type MUST contain a zero length
+ string.
+
+ In the following subsections, definitions for each result code are
+ provided. In addition, the operations that may return each result
+ code are also identified. The set of all operations consists of the
+ following: Bind; Search; Modify; Add; Delete; ModifyDN; Extended; and
+ Compare.
+
+5.1 Description of Non-Erroneous Result Codes
+
+ Five result codes that may be returned in LDAPResult are not used to
+ indicate an error. These result codes are listed below. The first
+ three codes, indicate to the client that no further action is
+ required in order to satisfy their request. In contrast, the last
+ two errors require further action by the client in order to complete
+ their original operation request.
+
+5.1.1 success(0)
+
+ Applicable operations: all except for Compare.
+
+ This result code does not indicate an error. It is returned when the
+ client operation completed successfully.
+
+5.1.2 compareFalse(5)
+
+ Applicable operations: Compare.
+
+ This result code does not indicate an error. It is used to indicate
+ that the result of a Compare operation is FALSE.
+
+5.1.3 compareTrue(6)
+
+ Applicable operations: Compare.
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 6
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+ This result code does not indicate an error. It is used to indicate
+ that the result of a Compare operation is TRUE.
+
+5.1.4 referral(10)
+
+ Applicable operations: all.
+
+ This result code is new in LDAPv3. Rather than indicating an error,
+ this result code is used to indicate that the server does not hold
+ the target entry of the request but is able to provide alternative
+ servers that may. A set of server(s) URLs may be returned in the
+ referral field, which the client may subsequently query to attempt to
+ complete their operation.
+
+5.1.5 saslBindInProgress(14)
+
+ Applicable operations: Bind.
+
+ This result code is new in LDAPv3. This result code is not an error
+ response from the server, but rather, is a request for bind
+ continuation. The server requires the client to send a new bind
+ request, with the same SASL mechanism, to continue the authentication
+ process [RFC2251, Section 4.2.3].
+
+5.2 Description of Error Codes
+
+ General error codes (see Section 5.2.1) are typically returned only
+ when no suitable specific error exists. Specific error codes (see
+ Section 5.2.2) are meant to capture situations that are specific to
+ the requested operation.
+
+5.2.1 General Error Codes
+
+ A general error code typically specifies an error condition for which
+ there is no suitable specific error code. If the server can return an
+ error, which is more specific than the following general errors, then
+ the specific error should be returned instead.
+
+5.2.1.1 other(80)
+
+ Applicable operations: all.
+
+ This error code should be returned only if no other error code is
+ suitable. Use of this error code should be avoided if possible.
+ Details of the error should be provided in the error message.
+
+5.2.2 Specific Error Codes
+
+ Specific errors are used to indicate that a particular type of error
+ has occurred. These error types are Name, Update, Attribute,
+ Security, and Service.
+
+5.2.2.1 Attribute Problem Error Codes
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 7
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+ An attribute error reports a problem related to an attribute
+ specified by the client in their request message.
+
+5.2.2.1.1 noSuchAttribute(16)
+
+ Applicable operations: Modify, Compare.
+
+ This error may be returned if the attribute specified as an argument
+ of the operation does not exist in the entry.
+
+5.2.2.1.2 undefinedAttributeType(17)
+
+ Applicable operations: Modify, Add.
+
+ This error may be returned if the specified attribute is unrecognized
+ by the server, since it is not present in the serverÆs defined
+ schema. If the server doesnÆt recognize an attribute specified in a
+ search request as the attribute to be returned the server should not
+ return an error in this case - it should just return values for the
+ requested attributes it does recognize. Note that this result code
+ only applies to the Add and Modify operations [X.511, Section 12.4].
+
+5.2.2.1.3 inappropriateMatching(18)
+
+ Applicable operations: Search.
+
+ An attempt was made, e.g., in a filter, to use a matching rule not
+ defined for the attribute type concerned [X511, Section 12.4].
+
+5.2.2.1.4 constraintViolation(19)
+
+ Applicable operations: Modify, Add, ModifyDN.
+
+ This error should be returned by the server if an attribute value
+ specified by the client violates the constraints placed on the
+ attribute as it was defined in the DSA - this may be a size
+ constraint or a constraint on the content.
+
+5.2.2.1.5 attributeOrValueExists(20)
+
+ Applicable operations: Modify, Add.
+
+ This error should be returned by the server if the value specified by
+ the client already exists within the attribute.
+
+5.2.2.1.6 invalidAttributeSyntax(21)
+
+ Applicable operations: Modify, Add.
+
+ This error should be returned by the server if the attribute syntax
+ for the attribute value, specified as an argument of the operation,
+ is unrecognized or invalid.
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 8
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+5.2.2.2 NameProblem Error Codes
+
+ A name error reports a problem related to the distinguished name
+ provided as an argument to an operation [X511, Section 12.5].
+
+ For result codes of noSuchObject, aliasProblem, invalidDNSyntax and
+ aliasDereferencingProblem (see Section 5.2.2.3.7), the matchedDN
+ field is set to the name of the lowest entry (object or alias) in the
+ directory that was matched. If no aliases were dereferenced while
+ attempting to locate the entry, this will be a truncated form of the
+ name provided, or if aliases were dereferenced, of the resulting
+ name, as defined in section 12.5 of X.511 [X511]. The matchedDN field
+ is to be set to a zero length string with all other result codes
+ [RFC2251, Section 4.1.10].
+
+5.2.2.2.1 noSuchObject(32)
+
+ Applicable operations: all except for Bind.
+
+ This error should only be returned if the target object cannot be
+ found. For example, in a search operation if the search base can not
+ be located in the DSA the server should return noSuchObject. If,
+ however, the search base is found but does not match the search
+ filter, success, with no resultant objects, should be returned
+ instead of noSuchObject.
+
+ If the LDAP server is a front end for an X.500 DSA then noSuchObject
+ may also be returned if discloseOnError is not granted for an entry
+ and the client does not have permission to view or modify the entry.
+
+5.2.2.2.2 aliasProblem(33)
+
+ Applicable operations: Search.
+
+ An alias has been dereferenced which names no object [X511, Section
+ 12.5].
+
+5.2.2.2.3 invalidDNSyntax(34)
+
+ Applicable operations: all.
+
+ This error should be returned by the server if the DN syntax is
+ incorrect. It should not be returned if the DN is correctly formed
+ but represents an entry which is not permitted by the structure rules
+ at the DSA; in this case namingViolation should be returned instead.
+
+5.2.2.3 SecurityProblem Error Codes
+
+ A security error reports a problem in carrying out an operation for
+ security reasons [X511, Section 12.7].
+
+5.2.2.3.1 authMethodNotSupported(7)
+
+ Applicable operations: Bind.
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 9
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+ This error code should be returned if the client requests, in a Bind
+ request, an authentication method which is not supported or
+ recognized by the server.
+
+5.2.2.3.2 strongAuthRequired(8)
+
+ Applicable operations: all.
+
+ This error may be returned on a bind request if the server only
+ accepts strong authentication or it may be returned when a client
+ attempts an operation which requires the client to be strongly
+ authenticated - for example Delete.
+
+ This result code may also be returned in an unsolicited notice of
+ disconnection if the server detects that an established underlying
+ security association protecting communication between the client and
+ server has unexpectedly failed or been compromised. [RFC2251, Section
+ 4.4.1]
+
+5.2.2.3.3 confidentialityRequired(13)
+
+ Applicable operations: all.
+
+ This error code is new in LDAPv3. This error code may be returned if
+ the session is not protected by a protocol which provides session
+ confidentiality. For example, if the client did not establish a TLS
+ connection using a cipher suite which provides confidentiality of the
+ session before sending any other requests, and the server requires
+ session confidentiality then the server may reject that request with
+ a result code of confidentialityRequired.
+
+5.2.2.3.4 aliasDereferencingProblem(36)
+
+ Applicable operations: Search.
+
+ An alias was encountered in a situation where it was not allowed or
+ where access was denied [X511, Section 12.5]. For example, if the
+ client does not have read permission for the aliasedObjectName
+ attribute and its value then the error aliasDereferencingProblem
+ should be returned. [X511, Section 7.11.1.1]
+
+ Notice that this error has similar meaning to
+ insufficientAccessRights(50) (see Section 5.2.2.3.7), but is specific
+ to Searching on an alias.
+
+ (See note at start of Section 5.2.2.2 regarding this error code.)
+
+5.2.2.3.5 inappropriateAuthentication(48)
+
+ Applicable operations: Bind.
+
+ This error should be returned by the server when the client has tried
+ to use a method of authentication that is inappropriate, that is a
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 10
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ method of authentication which the client is unable to use correctly.
+ In other words, the level of security associated with the requestorÆs
+ credentials is inconsistent with the level of protection requested,
+ e.g. simple credentials were supplied while strong credentials were
+ required [X511, Section 12.7].
+
+5.2.2.3.6 invalidCredentials(49)
+
+ Applicable operations: Bind.
+
+ This error code is returned if the DN or password used in a simple
+ bind operation is incorrect, or if the DN or password is incorrect
+ for some other reason, e.g. the password has expired. This result
+ code only applies to Bind operations -- it should not be returned for
+ other operations if the client does not have sufficient permission to
+ perform the requested operation - in this case the return code should
+ be insufficientAccessRights.
+
+5.2.2.3.7 insufficientAccessRights(50)
+
+ Applicable operations: all except for Bind.
+
+ The requestor does not have the right to carry out the requested
+ operation [X511, Section 12.7]. Note that the more specific
+ aliasDereferencingProblem (see Section 5.2.2.3.4) is returned in case
+ of a Search on an alias where the requestor has
+ insufficientAccessRights.
+
+5.2.2.4 ServiceProblem Error Codes
+
+ A service error reports a problem related to the provision of the
+ service [X511, Section 12.8].
+
+5.2.2.4.1 operationsError(1)
+
+ Applicable operations: all except Bind.
+
+ If the server requires that the client bind before browsing or
+ modifying the directory, the server MAY reject a request other than
+ binding, unbinding or an extended request with the "operationsError"
+ result. [RFC2251, Section 4.2.1]
+
+5.2.2.4.2 protocolError(2)
+
+ Applicable operations: all.
+
+ A protocol error should be returned by the server when an invalid or
+ malformed request is received from the client. This may be a request
+ that is not recognized as an LDAP request, for example, if a
+ nonexistent operation were specified in LDAPMessage. As well, it may
+ be the result of a request that is missing a required parameter, such
+ as a search filter in a search request. If the server can return an
+ error, which is more specific than protocolError, then this error
+ should be returned instead. For example if the server does not
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 11
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ recognize the authentication method requested by the client then the
+ error authMethodNotSupported should be returned instead of
+ protocolError. The server may return details of the error in the
+ error string.
+
+5.2.2.4.3 timeLimitExceeded(3)
+
+ Applicable operations: all.
+
+ This error should be returned when the time to perform an operation
+ has exceeded either the time limit specified by the client (which may
+ only be set by the client in a search operation) or the limit
+ specified by the server. If the time limit is exceeded on a search
+ operation then the result is an arbitrary selection of the
+ accumulated results [X511, Section 7.5]. Note that an arbitrary
+ selection of results may mean that no results are returned to the
+ client.
+
+ If the LDAP server is a front end for an X.500 server, any operation
+ that is chained may exceed the timelimit, therefore clients can
+ expect to receive timelimitExceeded for all operations. For stand
+ alone LDAP-Servers that do not implement chaining it is unlikely that
+ operations other than search operations will exceed the defined
+ timelimit.
+
+5.2.2.4.4 sizeLimitExceeded(4)
+
+ Applicable operations: Search.
+
+ This error should be returned when the number of results generated by
+ a search exceeds the maximum number of results specified by either
+ the client or the server. If the size limit is exceeded then the
+ results of a search operation will be an arbitrary selection of the
+ accumulated results, equal in number to the size limit [X511, Section
+ 7.5].
+
+5.2.2.4.5 adminLimitExceeded(11)
+
+ Applicable operations: all.
+
+ This error code is new in LDAPv3. The server has reached some limit
+ set by an administrative authority, and no partial results are
+ available to return to the user [X511, Section 12.8]. For example,
+ there may be an administrative limit to the number of entries a
+ server will check when gathering potential search result candidates
+ [Net].
+
+5.2.2.4.6 unavailableCriticalExtension(12)
+
+ Applicable operations: all.
+
+ This error code is new in LDAPv3. The server was unable to satisfy
+ the request because one or more critical extensions were not
+ available [X511, Section 12.8]. This error is returned, for example,
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 12
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ when a control submitted with a request is marked critical but is not
+ recognized by a server or when such a control is not appropriate for
+ the operation type. [RFC2251 section 4.1.12].
+
+5.2.2.4.7 busy(51)
+
+ Applicable operations: all.
+
+ This error code may be returned if the server is unable to process
+ the clientÆs request at this time. This implies that if the client
+ retries the request shortly the server will be able to process it
+ then.
+
+5.2.2.4.8 unavailable(52)
+
+ Applicable operations: all.
+
+ This error code is returned when the server is unavailable to process
+ the clientÆs request. This usually means that the LDAP server is
+ shutting down [RFC2251, Section 4.2.3].
+
+5.2.2.4.9 unwillingToPerform(53)
+
+ Applicable operations: all.
+
+ This error code should be returned by the server when a client
+ request is properly formed but which the server is unable to complete
+ due to server-defined restrictions. For example, the server, or some
+ part of it, is not prepared to execute this request, e.g. because it
+ would lead to excessive consumption of resources or violates the
+ policy of an Administrative Authority involved [X511, Section 12.8].
+ If the server is able to return a more specific error code such as
+ adminLimitExceeded it should. This error may also be returned if the
+ client attempts to modify attributes which can not be modified by
+ users, e.g., operational attributes such as creatorsName or
+ createTimestamp [X511, Section 7.12]. If appropriate, details of the
+ error should be provided in the error message.
+
+5.2.2.4.10 loopDetect(54)
+
+ Applicable operations: all.
+
+ This error may be returned by the server if it detects an alias or
+ referral loop, and is unable to satisfy the clientÆs request.
+
+5.2.2.5 UpdateProblem Error Codes
+
+ An update error reports problems related to attempts to add, delete,
+ or modify information in the DIB [X511, Section 12.9].
+
+5.2.2.5.1 namingViolation(64)
+
+ Applicable operations: Add, ModifyDN.
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 13
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ The attempted addition or modification would violate the structure
+ rules of the DIT as defined in the directory schema and X.501. That
+ is, it would place an entry as the subordinate of an alias entry, or
+ in a region of the DIT not permitted to a member of its object class,
+ or would define an RDN for an entry to include a forbidden attribute
+ type [X511, Section 12.9].
+
+5.2.2.5.2 objectClassViolation(65)
+
+ Applicable operations: Modify, Add, ModifyDN.
+
+ This error should be returned if the operation requested by the user
+ would violate the objectClass requirements for the entry if carried
+ out. On an add or modify operation this would result from trying to
+ add an object class without a required attribute, or by trying to add
+ an attribute which is not permitted by the current object class set
+ in the entry. On a modify operation this may result from trying to
+ remove a required attribute without removing the associated auxiliary
+ object class, or by attempting to remove an object class while the
+ attributes it permits are still present.
+
+5.2.2.5.3 notAllowedOnNonLeaf(66)
+
+ Applicable operations: Delete, ModifyDN.
+
+ This operation should be returned if the client attempts to perform
+ an operation which is permitted only on leaf entries - e.g., if the
+ client attempts to delete a non-leaf entry. If the directory does
+ not permit ModifyDN for non-leaf entries then this error may be
+ returned if the client attempts to change the DN of a non-leaf entry.
+ (Note that 1988 edition X.500 servers only permitted change of the
+ RDN of an entry's DN [X.511, Section 11.4.1]).
+
+5.2.2.5.4 notAllowedOnRDN(67)
+
+ Applicable operations: Modify.
+
+ The attempted operation would affect the RDN (e.g., removal of an
+ attribute which is a part of the RDN) [X511, Section 12.9]. If the
+ client attempts to remove from an entry any of its distinguished
+ values, those values which form the entry's relative distinguished
+ name the server should return the error notAllowedOnRDN. [RFC2251,
+ Section 4.6]
+
+5.2.2.5.5 entryAlreadyExists(68)
+
+ Applicable operations: Add, ModifyDN.
+
+ This error should be returned by the server when the client attempts
+ to add an entry which already exists, or if the client attempts to
+ rename an entry with the name of an entry which exists.
+
+5.2.2.5.6 objectClassModsProhibited(69)
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 14
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ Applicable operations: Modify.
+
+ An operation attempted to modify an object class that should not be
+ modified, e.g., the structural object class of an entry. Some
+ servers may not permit object class modifications, especially
+ modifications to the structural object class since this may change
+ the entry entirely, name forms, structure rules etc. [X.511, Section
+ 12.9].
+
+5.2.2.5.7 affectsMultipleDSAs(71)
+
+ Applicable operations: ModifyDN.
+
+ This error code is new for LDAPv3. This error code should be returned
+ to indicate that the operation could not be performed since it
+ affects more than one DSA.
+
+ X.500 restricts the ModifyDN operation to only affect entries that
+ are contained within a single server. If the LDAP server is mapped
+ onto DAP, then this restriction will apply, and the resultCode
+ affectsMultipleDSAs will be returned if this error occurred. In
+ general clients MUST NOT expect to be able to perform arbitrary
+ movements of entries and subtrees between servers [RFC2251, Section
+ 4.9].
+
+6 LDAP Operations
+
+ LDAP v3 [RFC2251] defines the following LDAPMessage for conveyance of
+ the intended operation request from the client to the server.
+
+ LDAPMessage ::= SEQUENCE {
+ messageID MessageID,
+ protocolOp CHOICE {
+ bindRequest BindRequest,
+ bindResponse BindResponse,
+ unbindRequest UnbindRequest,
+ searchRequest SearchRequest,
+ searchResEntry SearchResultEntry,
+ searchResDone SearchResultDone,
+ searchResRef SearchResultReference,
+ modifyRequest ModifyRequest,
+ modifyResponse ModifyResponse,
+ addRequest AddRequest,
+ addResponse AddResponse,
+ delRequest DelRequest,
+ delResponse DelResponse,
+ modDNRequest ModifyDNRequest,
+ modDNResponse ModifyDNResponse,
+ compareRequest CompareRequest,
+ compareResponse CompareResponse,
+ abandonRequest AbandonRequest,
+ extendedReq ExtendedRequest,
+ extendedResp ExtendedResponse },
+ controls [0] Controls OPTIONAL }
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 15
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+ MessageID ::= INTEGER (0 .. maxInt)
+
+ maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) -
+
+ Starting in Section 6.2, behaviour regarding the return of each
+ result code is specified for each operation. Section 6.1 indicates
+ those result codes that are typically applicable to all operations.
+
+6.1 Common Result Codes
+
+ The following result codes are applicable to, and may be returned in
+ response to all operations (except where stated otherwise).
+
+6.1.1 Non-erroneous results
+
+ For all but a Compare operation, a success(0) result code will be
+ returned in the case that the requested operation succeeds; a
+ compareTrue would be returned for a Compare operation. For each
+ operation, the server may return referral(10), as defined in Section
+ 5.1.4.
+
+6.1.2 Security Errors
+
+ Of the six possible security errors, two may be returned in response
+ to every operation. These two errors are strongAuthRequired(8) and
+ confidentialityRequired(13).
+
+6.1.3 Service Errors
+
+ All service errors, except operationsError(1), and
+ sizeLimitExceeded(4) may be returned in response to any LDAP v3
+ operation. operationsError(1) is applicable to all operations except
+ Bind. sizeLimitExceeded is only applicable to the Search operation.
+
+6.1.4 General Errors
+
+ The general error other(80)is applicable to all operations.
+
+6.2 Bind Operation Errors
+
+ If the bind operation succeeds then a result code of success will be
+ returned to the client. If the server does not hold the target entry
+ of the request, a referral(10) may be returned. If the operation
+ fails then the result code will be one of the following from the set
+ of non-erroneous result, name errors, security errors, service
+ errors, and general errors.
+
+ If the server does not support the client's requested protocol
+ version, it MUST set the resultCode to protocolError.
+ If the client receives a BindResponse response where the resultCode
+ was protocolError, it MUST close the connection as the server will be
+ unwilling to accept further operations. (This is for compatibility
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 16
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ with earlier versions of LDAP, in which the bind was always the first
+ operation, and there was no negotiation.) [RFC2251, Section 5.2.3]
+
+ The remaining errors listed in this section are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+6.2.1 Non-erroneous results
+
+ In addition to success or referral, the following non-erroneous
+ result code may be returned:
+
+ saslBindInProgress: the server requires the client to send a new bind
+ request, with the same sasl mechanism, to continue the authentication
+ process,
+
+6.2.2 Name Errors
+
+ invalidDNSyntax: the DN provided does not have the correct syntax,
+
+6.2.3 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+ authMethodNotSupported: unrecognized SASL mechanism name,
+
+ inappropriateAuthentication: the server requires the client which had
+ attempted to bind anonymously or without supplying credentials to
+ provide some form of credentials,
+
+ invalidCredentials: the wrong password was supplied or the SASL
+ credentials could not be processed, [RFC2251, Section 4.2.3]
+
+6.3 Search Operation Errors
+
+ X.500 provides three separate operations for searching the directory
+ - Read of a single entry, List of an entryÆs children and search of
+ an entire sub-tree. LDAP provides a single search operation, however
+ the X.500 operations can be simulated by using base, one-level and
+ sub-tree scope restrictions respectively.
+
+ If the Search operation succeeds then zero or more search entries
+ will be returned followed by a search result of success. If the
+ server does not hold the target entry of the request, a referral(10)
+ may be returned. If the search operation fails then zero or more
+ search entries will be returned followed by a search result
+ containing one of the following result codes from the set of name
+ errors, attribute errors, security errors, service errors, and
+ general errors.
+
+ The remaining errors listed in this section are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 17
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+6.3.1 Name Errors
+
+ noSuchObject: the base object, for the search, does not exist.
+
+ aliasProblem: an alias was dereferenced which named no object.
+
+ invalidDNSyntax: the DN provided for the search base does not have
+ the correct syntax,
+
+6.3.2 Attribute Errors
+
+ inappropriateMatching: an attempt was made to use a matching rule not
+ defined for an attribute in the search filter.
+
+6.3.3 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+ aliasDereferenceProblem: The client does not have permission for the
+ aliasedObjectName attribute or to search the dereferenced alias
+ object.
+
+ insufficientAccessRights: The requestor does not have sufficient
+ permissions to perform the search. aliasDereferenceProblem should be
+ returned in this case, if applicable.
+
+6.3.4 Service Errors
+
+ In addition to the common service errors indicated in Section 6.1.3,
+ the following service error may also be returned:
+
+ sizeLimitExceeded: the number of search results exceeds the size
+ limit specified by the client or the server. If the server has
+ defined a maximum PDU size, this error may also be returned if the
+ size of the combined results exceeds this limit.
+
+6.4 Modify Operation Errors
+
+ The Modify operation cannot be used to remove from an entry any of
+ its distinguished values, those values that form the entry's relative
+ distinguished name. An attempt to do so will result in the server
+ returning the error notAllowedOnRDN. The Modify DN Operation
+ described in section 5.9 is used to rename an entry. [RFC2251,
+ Section 4.6]
+
+ If the modify operation succeeds, a result code of success will be
+ returned to the client. If the server does not hold the target entry
+ of the request, a referral(10) may be returned. If the operation
+ fails, the result code will be one of the following from the set of
+ name errors, update errors, attribute errors, security errors,
+ service errors, and general errors.
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 18
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ The remaining errors listed in this section, are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+6.4.1 Name Errors
+
+ noSuchObject: the target object does not exist.
+
+ invalidDNSyntax: the DN provided does not have the correct syntax,
+
+6.4.2 Update Errors
+
+ objectClassViolation: An attempt was made to modify an object which
+ is illegal according to its object class definition in the schema or
+ DIT content rules for that object class.
+
+ notAllowedOnRDN: An attempt was made to modify the object entryÆs
+ distinguished name
+
+ objectClassModsProhibited: The modification attempted to change an
+ entryÆs object class which is not allowed.
+
+6.4.3 Attribute Errors
+
+ noSuchAttribute: the attribute to be modified does not exist in the
+ target entry.
+
+ undefinedAttributeType: The attribute specified does not exist in the
+ server's defined schema.
+
+ constraintViolation: The modification would create an attribute value
+ outside the normal bounds.
+
+ attributeOrValueExists: The modification would create a value which
+ already exists within the attribute.
+
+ invalidAttributeSyntax: The value specified doesnÆt adhere to the
+ syntax definition for that attribute.
+
+6.4.4 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+ insufficientAccessRights: The requestor does not have sufficient
+ permissions to modify the entry.
+
+6.5 Add Operation Errors
+
+ The superior of the entry must exist for the operation to succeed. If
+ not, a noSuchObject error is returned and the matchedDN field will
+ contain the name of the lowest entry in the directory that was
+ matched.
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 19
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ If the add operation succeeds, a result code of success will be
+ returned to the client. If the server does not hold the target entry
+ of the request, a referral(10) may be returned. If the operation
+ fails, the result code will be one of the following from the set of
+ name errors, update errors, attribute errors, security errors,
+ service errors, and general errors.
+
+ The remaining errors listed in this section, are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+6.5.1 Name Errors
+
+ noSuchObject: One or more superiors to the target entry do not exist.
+
+ invalidDNSyntax: the DN provided does not have the correct syntax,
+
+6.5.2 Update Errors
+
+ namingViolation: Either the target entry cannot be created under the
+ specified superior due to DIT structure rules, or the target entry is
+ named by an RDN not permitted by the DIT name form rule for its
+ object class.
+
+ objectClassViolation: An attempt was made to add an entry and one of
+ the following conditions existed: A required attribute was not
+ specified; an attribute was specified which is not permitted by the
+ current object class set in the entry; a structural object class
+ value was not specified; an object class value was specified that
+ doesnÆt exist in the schema.
+
+ entryAlreadyExists: The target entry already exists.
+
+6.5.3 Attribute Errors
+
+ undefinedAttributeType: The attribute specified does not exist in the
+ server's defined schema.
+
+ constraintViolation: The attribute value falls outside the bounds
+ specified by the attribute syntax.
+
+ attributeOrValueExists: A duplicate attribute value appears in the
+ list of attributes for the entry.
+
+ invalidAttributeSyntax: The value specified doesnÆt adhere to the
+ syntax definition for that attribute.
+
+6.5.4 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 20
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ insufficientAccessRights: The requestor does not have sufficient
+ permissions to either add the entry or to add one or more of the
+ attributes specified.
+
+6.6 Delete Operation Errors
+
+ If the delete operation succeeds, a result code of success will be
+ returned to the client. If the server does not hold the target entry
+ of the request, a referral(10) may be returned. If the operation
+ fails, the result code will be one of the following from the set of
+ name errors, update errors, security errors, service errors, and
+ general errors.
+
+ The remaining errors listed in this section, are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+6.6.1 Name Errors
+
+ noSuchObject: The target entry does not exist.
+
+ invalidDNSyntax: the DN provided does not have the correct syntax,
+
+6.6.2 Update Errors
+
+ notAllowedOnNonLeaf: The target entry is not a leaf object. Only
+ objects having no subordinate objects in the tree may be deleted.
+
+6.6.3 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+ insufficientAccessRights: The requestor does not have sufficient
+ permissions to delete the entry.
+
+6.7 ModifyDN Operation Errors
+
+ Note that X.500 restricts the ModifyDN operation to only affect
+ entries that are contained within a single server. If the LDAP server
+ is mapped onto DAP, then this restriction will apply, and the
+ resultCode affectsMultipleDSAs will be returned if this error
+ occurred. In general clients MUST NOT expect to be able to perform
+ arbitrary movements of entries and subtrees between servers.
+ [RFC2251, Section 4.9]
+
+ If the Modify DN operation succeeds then a result code of success
+ will be returned to the client. If the server does not hold the
+ target entry of the request, a referral(10) may be returned. If the
+ operation fails then the result code will be one of the following
+ from the set of name errors, update errors, attribute errors,
+ security errors, service errors, and general errors.
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 21
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ The remaining errors listed in this section, are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+6.7.1 Name Errors
+
+ noSuchObject: the target object does not exist or a new superior
+ object was specified that does not exist.
+
+ invalidDNSyntax: the DN provided does not have the correct syntax.
+
+6.7.2 Update Errors
+
+ namingViolation: Either the target entry cannot be moved to the
+ specified superior due to DIT structure rules, or the target entry is
+ named by an RDN not permitted by the DIT name form rule for its
+ object class.
+
+ objectClassViolation: The client has specified that the old RDN
+ values should be removed from the entry (using the 'deleteOldRdn'
+ parameter) but the removal of these values would violate the entry's
+ schema. [RFC 2251 Section 4.9]
+
+ notAllowedOnNonLeaf: If the server does not permit the ModifyDN
+ operation on non-leaf entries this error will be returned if the
+ client attempts to rename a non-leaf entry
+
+ entryAlreadyExists: The target entry already exists.
+
+ AffectsMultipleDSAs: X.500 restricts the ModifyDN operation to only
+ affect entries that are contained within a single server. If the LDAP
+ server is mapped onto DAP, then this restriction will apply, and the
+ resultCode affectsMultipleDSAs will be returned if this error
+ occurred. In general clients MUST NOT expect to be able to perform
+ arbitrary movements of entries and sub-trees between servers.
+ [RFC2251, Section 4.9]
+
+6.7.3 Attribute Errors
+
+ constraintViolation: The operation would create an attribute value
+ outside the normal bounds.
+
+6.7.4 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+ insufficientAccessRights: The requestor does not have sufficient
+ permissions to either add the entry or to add one or more of the
+ attributes specified.
+
+6.8 Compare Operation Errors
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 22
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ If there exists a value within the attribute being compared that
+ matches the purported argument and for which compare permissions is
+ granted, the operation returns the value compareTrue in the result,
+ otherwise, the operation returns compareFalse. [X511, Section 9.2.4]
+ If the server does not hold the target entry of the request, a
+ referral(10) may be returned.
+
+ If the compare operation can not be completed, then the server may
+ return one of the following results from the set of name errors,
+ attribute errors, security errors, service errors, and general
+ errors.
+
+ The remaining errors listed in this section are operation-specific.
+ An operation may also result in the return of any of the common
+ errors, as listed in Section 6.1.
+
+6.8.1 Name Errors
+
+ noSuchObject: the entry to be compared does not exist in the
+ directory.
+
+ invalidDNSyntax: the DN provided for the entry to be compared does
+ not have the correct syntax.
+
+6.8.2 Attribute Errors
+
+ noSuchAttribute: the attribute to be compared does not exist in the
+ target entry.
+
+ invalidAttributeSyntax: The value specified doesnÆt adhere to the
+ syntax definition for that attribute.
+
+6.8.3 Security Errors
+
+ As stated in Section 6.1.2, strongAuthRequired(8) and
+ confidentialityRequired(13) may be returned for any operation.
+
+ insufficientAccessRights: If the client does not have read permission
+ for the entry to be compared, or for the attribute then
+ insufficientAccessRights should be returned, [X511, Section 9.2.4]
+
+6.8.4 Example
+
+ The following example is included to demonstrate the expected
+ responses for the compare operation.
+ Given the following entry:
+
+ dn: cn=Foo
+ objectClass: top
+ objectClass: person
+ sn: bar
+ userPassword: xyz
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 23
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ i) Compare with userPassword=xyz results in a compareTrue because the
+ requested value exists in the entry.
+
+ ii) Compare with userPassword=abc results in a compareFalse because
+ the entry contains a userPassword attribute but the value abc is not
+ present.
+
+ iii) Compare with telephoneNumber=123-456-7890 results in a
+ noSuchAttribute. The attribute telephoneNumber is permissible in the
+ entry based on the schema defined in the server but because it is
+ empty it does not exist in the target entry.
+
+ iv) Compare with ou=myOrg results in noSuchAttribute. The requested
+ attribute is a recognized attribute but it is neither present nor is
+ it valid for the target entry.
+
+ v) Compare with bogusAttr=abc results in noSuchAttribute. The
+ requested attribute is not a recognized attribute nor is it present
+ in the target entry.
+
+ Note that the response for scenarios 3 through 5 is always
+ noSuchAttribute. The semantics of the compare operation is simply
+ "does the target entry contain the specified value?" and so no
+ distinction is made between a request for an unknown, invalid, or,
+ valid but empty attribute. In all cases if the attribute is not
+ present in the entry then the result is noSuchAttribute.
+
+6.9 Extended Operation Errors
+
+ The results returned for an extended operation vary, depending on the
+ particular operation. In any case, extended Operations MAY return any
+ result code (excepting 81-90).
+
+ If the server does not recognize the request name, it MUST return
+ only the response fields from LDAPResult, containing the
+ protocolError result code [RFC2251, Section 4.12]
+
+6.10 Operations with no Server Response
+
+ The LDAP v3 protocol has two client operations for which no server
+ response is returned. Specifically, these are unbindRequest, and
+ abandonRequest. Since no response is returned, there is no need to
+ consider possible result codes for these operations.
+
+6.11 Unsolicited Notification
+
+ In some situations, a server may issue a "response" to a client for
+ which there was no client request. This notification "is used to
+ signal an extraordinary condition in the server or in the connection
+ between the client and the server. The notification is of an
+ advisory nature, and the server will not expect any response to be
+ returned from the client." [RFC2251, Section 4.4]
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 24
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+ RFC 2251 [RFC2251] describes a notice of disconnection in which a
+ protocolError, strongAuthRequired, or unavailable result code may be
+ returned. The reader is directed there for further information.
+
+6.12 Controls
+
+ Section 4.1.12 of [RFC2251] specifies the syntax for controls that
+ may be sent as part of a request. [RFC2251] defines no specific
+ controls. It should be noted that the semantics of a control may
+ alter the result code that might otherwise have been returned for the
+ requested operation (see Section 5.2.2.4.6 for example).
+
+7. Security Considerations
+
+ This draft is meant to complement and enhance the coverage of result
+ codes for LDAP v3, as described in RFC 2251 [RFC2251]. Section 7 of
+ RFC 2251 [RFC2251] lists a number of security considerations specific
+ to LDAP v3.
+
+ Note that in X.500 if the discloseOnError permission is not granted
+ then many operations will return noSuchObject instead of a more
+ specific error. As there is currently no equivalent for this
+ permission in LDAP, LDAP-only servers should return the appropriate
+ error code in the event of an error.
+
+8. References
+
+ [RFC2026] S. Bradner, "The Internet Standards Process - Revision
+ 3", RFC 2026, October 1996.
+
+ [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
+ Requirement Levels", RFC 2119, March 1997.
+
+ [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory
+ Access Protocol", RFC 2251, December 1997.
+
+ [X511] ITU-T Recommendation X.511, "The Directory: Abstract
+ Service Definition", 1993.
+
+ [TLS] J. Hodges, R.L. Morgan, M. Wahl, "Lightweight Directory
+ Access Protocol (v3): Extension for Transport Layer
+ Security", June 1999. <draft-ietf-ldapext-ldapv3-tls-
+ 05.txt> "work in progress"
+
+ [Net] Netscape Directory SDK 3.0 for C ProgrammerÆs Guide,
+ Chapter 19: Result Codes. Available at Error! Bookmark
+ not defined.
+
+
+9. Acknowledgments
+
+ The production of this document relied heavily on the information
+ available from RFC 2251 [RFC2251] and ITU-T Recommendation X.511
+ [X511].
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 25
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+10. Author's Addresses
+
+ Mike Just
+ Entrust Technologies
+ 750 Heron Rd, Tower E
+ Ottawa, Ontario, Canada
+ mike.just@entrust.com
+
+ Kristianne Leclair
+ Entrust Technologies
+ 750 Heron Rd, Tower E
+ Ottawa, Ontario, Canada
+ kristianne.leclair@entrust.com
+
+ Jim Sermersheim
+ Novell
+ 122 East 1700 South
+ Provo, Utah 84606, USA
+ Error! Bookmark not defined.
+
+ Mark Smith
+ Netscape
+ 501 Ellis Street
+ Mountain View, CA 94043
+ Error! Bookmark not defined.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 26
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+11 Appendix A: Operation/Response Matrix
+
+
+ Result Codes Operations
+
+ B S M A D M C
+ i e o d e o o
+ n a d d l d m
+ d r i e D p
+ c f t N a
+ h y e r
+ e
+
+ Non-erroneous results
+
+ success (0) X X X X X X
+
+ compareFalse (5) X
+
+ compareTrue (6) X
+
+ referral (10) X X X X X X X
+
+ saslBindInProgress (14) X
+
+ Name errors
+
+ noSuchObject (32) X X X X X X
+
+ aliasProblem (33) X
+
+ invalidDNSyntax (34) X X X X X X X
+
+ Update errors
+
+ namingViolation (64) X X
+
+ objectClassViolation (65) X X X
+
+ notAllowedOnNonLeaf (66) X X
+
+ notAllowedonRDN (67) X
+
+ entryAlreadyExists (68) X X
+
+ objectClassModesProhibite X
+ d (69)
+
+ affectsMultipleDSAs (71) X
+
+ Attribute errors
+
+ noSuchAttribute(16) X X
+
+ undefinedAttributeType X X
+ (17)
+
+ inappropriateMatching X
+ (18)
+
+ constraintViolation (19) X X X
+
+ attributeOrValueExists X X
+ (20)
+
+ invalidAttributeSyntax X X
+ (21)
+
+ Security errors
+
+ authMethodNotSupported X
+ (7)
+
+ strongAuthRequired (8) X X X X X X X
+
+ confidentialityRequred(13 X X X X X X X
+ )
+
+ aliasDereferencingProblem X
+ (36)
+
+ inappropriateAuthenticati X
+ on (48)
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 27
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+ invalidCredentials (49) X
+
+ insufficientAccessRights X X X X X X
+ (50)
+
+ Service errors
+
+ operationsError (1) X X X X X X
+
+ protocolError (2) X X X X X X X
+
+ timeLimitExceeded (3) X X X X X X X
+
+ sizeLimitExceeded (4) X
+
+ adminLimitExceeded (11) X X X X X X X
+
+ unavailableCriticialExten X X X X X X X
+ sion (12)
+
+ busy (51) X X X X X X X
+
+ unavailable (52) X X X X X X X
+
+ unwillingToPerform (53) X X X X X X X
+
+ loopDetect (54) X X X X X X X
+
+ General errors
+
+ other (80) X X X X X X X
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 28
+
+
+ LDAPv3 Result Codes: Definitions and Appropriate Use Apr, 2000
+
+
+12 Full Copyright Statement
+
+ Copyright (C) The Internet Society (Oct 1999). All Rights Reserved.
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERINGTASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDINGBUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATIONHEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Just, Leclair, Sermersheim, Smith INTERNET-DRAFT 29
+
projects / openldap / commitdiff