| Previous Contents Index DocHome Next |
| Netscape LDAP SDK for C LDAP SDK for C |
Chapter 19 Result Codes
This chapter lists the result codes that can be returned by functions in the LDAP SDK for C. These codes are specified in the LDAP protocol.For ease of reference, this chapter lists the result codes in two formats:
Result Codes Listed Alphabetically
Result Codes Listed Alphabetically
LDAP_ADMINLIMIT_EXCEEDED
LDAP_STRONG_AUTH_NOT_SUPPORTED
Result Codes Listed in Numerical Order
0 - LDAP_SUCCESS
7 - LDAP_STRONG_AUTH_NOT_SUPPORTED
10 - LDAP_REFERRAL
12 - LDAP_UNAVAILABLE_CRITICAL_EXTENSION
13 - LDAP_CONFIDENTIALITY_REQUIRED
14 - LDAP_SASL_BIND_IN_PROGRESS
17 - LDAP_UNDEFINED_TYPE
18 - LDAP_INAPPROPRIATE_MATCHING
19 - LDAP_CONSTRAINT_VIOLATION
20 - LDAP_TYPE_OR_VALUE_EXISTS
21 - LDAP_INVALID_SYNTAX
32 - LDAP_NO_SUCH_OBJECT
33 - LDAP_ALIAS_PROBLEM
324 - LDAP_INVALID_DN_SYNTAX
35 - LDAP_IS_LEAF
51 - LDAP_BUSY
52 - LDAP_UNAVAILABLE
54 - LDAP_LOOP_DETECT
60 - LDAP_SORT_CONTROL_MISSING
65 - LDAP_OBJECT_CLASS_VIOLATION
66 - LDAP_NOT_ALLOWED_ON_NONLEAF
68 - LDAP_ALREADY_EXISTS
69 - LDAP_NO_OBJECT_CLASS_MODS
71 - LDAP_AFFECTS_MULTIPLE_DSAS
80- LDAP_OTHER
81 - LDAP_SERVER_DOWN
82 - LDAP_LOCAL_ERROR
83 - LDAP_ENCODING_ERROR
84 - LDAP_DECODING_ERROR
85 - LDAP_TIMEOUT
86 - LDAP_AUTH_UNKNOWN
87 - LDAP_FILTER_ERROR
88 - LDAP_USER_CANCELLED
89 - LDAP_PARAM_ERROR
90 - LDAP_NO_MEMORY
91 - LDAP_CONNECT_ERROR
92 - LDAP_NOT_SUPPORTED
95 - LDAP_MORE_RESULTS_TO_RETURN
96 - LDAP_CLIENT_LOOP
This result code indicates that the "look through limit" on a search operation has been exceeded.
When working with the Directory Server, keep in mind the following:
If you are bound as the root DN, the server sets an infinite "look through limit".
The "look through limit" is the maximum number of entries that the server will check when gathering a list of potential search result candidates. See the Directory Server Administrator's Guide for details.If you are not bound as the root DN, the server sets the time limit to the value specified by the lookthroughtimelimit directive in the server's slapd.conf configuration file.
This result code indicates that the requested operation needs to be performed on multiple servers, where this operation is not permitted.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that a problem occurred when dereferencing an alias.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that a problem occurred when dereferencing an alias.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that the request is attempting to add an entry that already exists in the directory.
The Directory Server sends this result code back to the client in the following situations:
The request is an add request, and the entry already exists in the directory.
The request is a modify DN request, and the new DN of the entry already identifies another entry.
The request is adding an attribute to the schema, and an attribute with the specified name or OID already exists.
This result code indicates that an unknown authentication method was specified.
The LDAP API library sets this result code if ldap_bind() or ldap_bind_s() are called and an authentication method other than LDAP_AUTH_SIMPLE is specified. (These functions only allow you to use simple authentication.)
This result code indicates that the server is currently too busy to perform the requested operation.
At this point in time, neither the LDAP API library nor the Directory Server return this result code.
This result code indicates that the LDAP client (API library) detected a loop, for example, when following referrals.
This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is not present in the specified entry.
This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is present in the specified entry.
This result code indicates that confidentiality is required for the operation.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that the LDAP client cannot establish a connection (or has lost the connection) with the LDAP server.
The LDAP API library sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct hostname and port number and that the server is running.
If you have lost the connection to the server, see "Handling Failover" for instructions on reconnecting to the server.
This result code indicates that a value in the request does not comply with certain constraints.
The Directory Server sends this result code back to the client in the following situations:
The request adds or modifies the userpassword attribute, and one of the following is true:
The server is configured to check the password syntax, and the length of the new password is less than the minimum password length.
The request is a bind request, and the user is locked out of the account. (For example, the server can be configured to lock a user out of the account after a given number of failed attempts to bind to the server.)The server is configured to check the password syntax, and the new password is the same as one of the values of the uid, cn, sn, givenname, ou, or mail attributes.
The server is configured to keep a history of previous passwords, and the new password is the same as one of the previous passwords.
This result code indicates that a requested LDAP control was not found.
The LDAP API library sets this result code when parsing a server response for controls and not finding the requested controls. For example:
ldap_parse_entrychange_control() is called, but no entry change notification control is found in the server's response.
For more information on controls, see Chapter 14 "Working with LDAP Controls."ldap_parse_sort_control() is called, but no server-side sorting control is found in the server's response.
ldap_parse_virtuallist_control() is called, but no virtual list view response control is found in the server's response.
This result code indicates that the LDAP client encountered an error when decoding the LDAP response received from the server.
This result code indicates that the LDAP client encountered an error when encoding the LDAP request to be sent to the server.
This result code indicates that an error occurred when specifying the search filter.
The LDAP API library sets this result code if it cannot encode the specified search filter in an LDAP search request.
This result code indicates that the type of credentials are not appropriate for the method of authentication used.
The Directory Server sends this result code back to the client if simple authentication is used in a bind request, but the entry has no userpassword attribute. And if SASL EXTERNAL is attempted on a non-SSL connection.
This result code indicates that an extensible match filter in a search request contained a matching rule that does not apply to the specified attribute type.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that the search results exceeded the range specified by the requested offsets.
This result code applies to search requests that contain "virtual list view" controls. For more information on this control, see "Using the Virtual List View Control."
Note that versions of the Directory Server prior to 4.0 do not support the "virtual list view" control.
This result code indicates that the client has insufficient access to perform the operation.
Check the user that you are authenticating as and the access control lists for the server. For information on checking ACLs on the server, see the iPlanet Directory Server Administrator's Guide.
This result code indicates that the credentials provided in the request are invalid.
The Directory Server sends this result code back to the client if a bind request contains the incorrect credentials for a user or if a user's password has already expired.
This result code indicates than an invalid DN has been specified.
The Directory Server sends this result code back to the client if an add request or a modify DN request specifies an invalid DN. It also sends this code when an SASL_EXTERNAL bind is attempted but certification to DN mapping fails.
This result code indicates that the request contains invalid syntax.
The Directory Server sends this result code back to the client in the following situations:
The server encounters an ACL with invalid syntax.
The request attempts to add or modify an aci attribute, and the value of the attribute is an ACI with invalid syntax.
The request is a search request with a substring filter, and the syntax of the filter is invalid.
The request is a modify request that is attempting to modify the schema, but no values are provided (for example, the request might be attempting to delete all values of the objectclass attribute).
This result code indicates that the specified entry is a leaf entry.
Currently, Directory Server does not send this result code back to LDAP clients.
This result code indicates that an error occurred in the LDAP client.
This result code indicates that the server was unable to perform the requested operation because of an internal loop.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that there are more results in the chain of results.
The LDAP API library sets this result code when the ldap_parse_sasl_bind_result() function is called to retrieve the result code of an operation, and additional result codes from the server are available in the LDAP structure.
This result code indicates that the request violates the structure of the DIT.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that no memory is available.
The LDAP API library sets this result code if a function cannot allocate memory (for example, when creating an LDAP request or an LDAP control).
This result code indicates that the request is attempting to modify the object class that should not be modified (for example, a structural object class).
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that no results were returned from the server.
The LDAP API library sets this result code when the ldap_parse_result() function is called but no result code is included in the server's response.
This result code indicates that the specified attribute does not exist in the entry.
The Directory Server might send this result code back to the client if, for example, a modify request specifies the modification or removal of a non-existent attribute or if a compare request specifies a non-existent attribute.
This result code indicates that the server cannot find an entry specified in the request.
The Directory Server sends this result code back to the client if it cannot find a requested entry and if it cannot refer your client to another LDAP server.
This result code indicates that the requested operation is allowed only on entries that do not have child entries (entries that are "leaf" entries, as opposed to "branch" entries).
The Directory Server sends this result code back to the client if the request is a delete request or a modify DN request and the entry is a parent entry. (You cannot delete or move a branch of entries in a single operation.)
This result code indicates that the requested operation will affect the RDN of the entry.
The Directory Server sends this result code back to the client if the request is a modify request and the request deletes attribute values from the entry that are used in the RDN of the entry. (For example, if the DN is "uid=bjensen,ou=People,o=airius.com", the request removes the attribute value "uid=bjensen" from the entry.)
This result code indicates that the LDAP client is attempting to use functionality that is not supported.
The LDAP API library sets this result code if the client identifies itself as an LDAPv2 client, and the client is attempting to use functionality available in LDAPv3. For example:
You are passing LDAP controls to a function.
If you want to use these features, make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."You are calling ldap_extended_operation(), ldap_extended_operation_s(), or ldap_parse_extended_result() to request an extended operation or to parse an extended response.
You are calling ldap_rename() or ldap_rename_s(), and you are specifying a new "superior DN" as an argument.
You are calling ldap_sasl_bind(), ldap_sasl_bind_s(), or ldap_parse_sasl_bind_result() to request SASL authentication or to parse a SASL bind response.
You are calling ldap_parse_virtuallist_control() to parse a virtual list control from the server's response.
This result code indicates that the request specifies a change to an entry or a new entry that does not comply with the server's schema.
The Directory Server sends this result code back to the client in the following situations:
The request is an add request, and the new entry does not comply with the schema. For example, the new entry does not have all the required attributes, or the entry has attributes that are not allowed in the entry.
Check the server error logs for more information, and check the schema for the type of entry that you are adding or modifying. For more information on the server's schema, see the iPlanet Directory Server Administrator's Guide.The request is a modify request, and the change will make the entry noncompliant with the schema. For example, the change removes a required attribute or adds an attribute that is not allowed.
This is a general result code indicating that an error has occurred.
The Directory Server might send this code if, for example, memory cannot be allocated on the server.
To troubleshoot this type of error, check the server's error logs. You may need to increase the log level of the server to get additional information. (See the iPlanet Directory Server Administrator's Guide for information on setting the log level of the server.)
This result code indicates than an unknown error has occurred.
At this point in time, neither the LDAP API library nor the Directory Server return this result code.
This result code indicates that an invalid parameter was specified.
The LDAP API library sets this result code if a function was called and invalid parameters were specified (for example, if the LDAP structure is NULL).
The Directory Server sends this result code to LDAPv2 clients to refer them to another LDAP server. When sending this code to a client, the server includes a newline-delimited list of LDAP URLs that identify another LDAP server.
If the client identifies itself as an LDAPv3 client in the request, the Directory Server sends an LDAP_REFERRAL result code instead of this result code.
This result code indicates that the LDAP client's request does not comply with the LDAP protocol.
The Directory Server sends this result code back to the client in the following situations:
The server cannot parse the incoming request.
To troubleshoot this type of error, check the server's error logs. You may need to increase the log level of the server to get additional information. See the iPlanet Directory Server Administrator's Guide for information on setting the log level of the server.The request specifies an attribute type that uses a syntax not supported by the server.
The request is a SASL bind request, but your client identifies itself as an LDAPv2 client.
The request is a bind request that specifies an unsupported version of the LDAP protocol.
- Make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
The request is an add or a modify request that specifies the addition of an attribute type to an entry, but no values are specified.
- Make sure to specify that your LDAP client is either an LDAPv2 client or an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
The request is a modify request, and one of the following is true:
An unknown modify operation is specified (an operation other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE).
The request is a modify DN request, and one of the following is true:No modifications are specified.
The new RDN is not a valid RDN.
A new superior DN is specified, but your client identifies itself as an LDAPv2 client.
The request is a search request, and one of the following is true:
- Note that the Directory Server 3.x and 4.0 do not support the ability to move an entry from under one DN to another DN. If you specify a new superior DN, the request will not be processed.
An unknown scope is specified (a scope other than LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL, and LDAP_SCOPE_SUBTREE).
The request is a search request with a server-side sorting control, and one of the following is true:An unknown filter type is specified.
The filter type LDAP_FILTER_GE or LDAP_FILTER_LE is specified, but the type of attribute contains values that cannot be ordered. (For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.)
The request contains an extensible filter (a filter using matching rules), but your client identifies itself as an LDAPv2 client. (Make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client.")
The request contains an extensible filter (a filter using matching rules), but the matching rule is not supported by the server.
The server does not have a syntax plug-in that supports the attribute used for sorting.
The request is an extended operation request, and the server does not support that extended operation.The syntax plug-in does not have a function for comparing values of the attribute. (This compare function is used for sorting.)
The type of attribute specified for sorting contains values that cannot be sorted in any order. For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.
The server encounters an error when creating the sorting response control (the control to be sent back to the client).
When sorting the results, the time limit or the "look through limit" is exceeded. The "look through limit" is the maximum number of entries that the server will check when gathering a list of potential search result candidates. See the iPlanet Directory Server Administrator's Guide for details.
An authentication method other than LDAP_AUTH_SIMPLE or LDAP_AUTH_SASL is specified.
- In the Directory Server, extended operations are supported through extended operation server plug-ins. Make sure that the server is loading a plug-in that supports the extended operation. Check the OID of the extended operation in your LDAP client to make sure that it matches the OID of the extended operation registered in the server plug-in.
- For more information on extended operation server plug-ins, see the iPlanet Directory Server Plug-In Programmer's Guide.
This result code indicates that the server is referring the client to another LDAP server. When sending this code to a client, the server includes a list of LDAP URLs that identify another LDAP server.
This result code is part of the LDAPv3 protocol. For LDAPv2 clients, the Directory Server sends an LDAP_PARTIAL_RESULTS result code instead.
This result code indicates that the "referral hop limit" was exceeded.
The LDAP API library sets this result code when following referrals, if the client is referred to other servers more times than allowed by the "referral hop limit". For more information about the "referral hop limit", see "Limiting Referral Hops."
This result code indicates that the results of the request are too large.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code is used in multi-stage SASL bind operations. The server sends this result code back to the client to indicate that the authentication process has not yet completed.
For more information on SASL authentication, see Chapter 13 "Using SASL Authentication."
This result code indicates that the LDAP API library cannot establish a connection (or lost the connection) with the LDAP server.
The LDAP API library sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct hostname and port number and that the server is running.
If you have lost the connection to the server, see "Handling Failover" for instructions on reconnecting to the server.
This result code indicates that the maximum number of search results to return has been exceeded.
The size limit is specified in the search request. If you specify no size limit, the server will set the time limit.
When working with the Directory Server, keep in mind the following:
If you are bound as the root DN and specify no size limit, the server enforces no size limit at all.
If you are not bound as the root DN and specify no size limit, the server sets the size limit to the value specified by the sizelimit directive in the server's slapd.conf configuration file.
If the size limit that you specify exceeds the value specified by the sizelimit directive in the server's slapd.conf configuration file, the server uses the size limit specified in the configuration file.
This result code indicates that server did not receive a required server-side sorting control.
The Directory Server 4.0 sends this result code back to the client if the server receives a search request with a "virtual list view" control but no server-side sorting control.
The "virtual list view" control requires a server-side sorting control. For more information on this control, see "Using the Virtual List View Control."
Note that versions of the Directory Server prior to 4.0 do not support the "virtual list view" control.
LDAP_STRONG_AUTH_NOT_SUPPORTED
This result code is returned as the result of a bind operation. This code indicates that the server does not recognize or support the specified authentication method.
This result code indicates that a stronger method of authentication is required to perform the operation.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that the LDAP operation was successful.
This result code indicates that the time limit on a search operation has been exceeded.
The time limit is specified in the search request. If you specify no time limit, the server will set the time limit.
When working with the Directory Server, keep in mind the following:
If you are bound as the root DN and specify no time limit, the server enforces no size limit at all.
If you are not bound as the root DN and specify no time limit, the server sets the time limit to the value specified by the timelimit directive in the server's slapd.conf configuration file.
If the time limit that you specify exceeds the value specified by the timelimit directive in the server's slapd.conf configuration file, the server uses the time limit specified in the configuration file.
This result code indicates that the LDAP client timed out while waiting for a response from the server.
The LDAP API library sets this result code in the LDAP structure if the timeout period (for example, in a search request) has been exceeded and the server has not responded.
This result code indicates that the request attempted to add an attribute type or value that already exists.
The Directory Server sends this result code back to the client in the following situations:
The request attempts to add values that already exist in the attribute.
The request is adding an attribute to the schema of the server, but the OID of the attribute is already used by an object class in the schema.
The request is adding an object class to the schema of the server, and one of the following occurs:
This result code indicates that the server is unavailable to perform the requested operation.
At this point in time, neither the LDAP API library nor the Directory Server return this result code.
LDAP_UNAVAILABLE_CRITICAL_EXTENSION
This result code indicates that the specified control or matching rule is not supported by the server.
The Directory Server might send back this result code if the request includes an unsupported control or if the filter in the search request specifies an unsupported matching rule.
This result code indicates that the request specifies an undefined attribute type.
Currently, the Directory Server does not send this result code back to LDAP clients.
This result code indicates that the server is unwilling to perform to requested operation.
The Directory Server sends this result code back to the client in the following situations:
The client has logged in for the first time and needs to change its password, but the client is requesting to perform other LDAP operations.
The NT Synch Service is running, and an operation is "vetoed" by the service.
- In this situation, the result code is accompanied by an expired password control. For details, see "Using Password Policy Controls."
The request is a modify DN request, and a "superior DN" is specified. (At this point in time, the Directory Server does not support the ability to use the modify DN operation to move an entry from one location in the directory tree to another location.)
The database is in read-only mode, and the request attempts to write to the directory.
The request is a delete request that attempts to delete the root DSE.
The request is a modify DN request that attempts to modify the DN of the root DSE.
The request is a modify request to modify the schema entry, and one of the following occurs:
The server uses a database plug-in that does not implement the operation specified in the request. For example, if the database plug-in does not implement the add operation, sending an add request will return this result code.
This result code indicates that the user cancelled the LDAP operation.
Currently, the Directory Server does not send this result code back to LDAP clients.
Previous Contents Index DocHome Next
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.
Last Updated November 16, 2000