UnboundID LDAP SDK for Java

Ping Identity
Product Information

LDAPv3 Wire Protocol Reference

The LDAPResult Sequence

Every type of LDAP request looks a little different. Each request is encapsulated in an LDAPMessage sequence, but the protocolOp element within that LDAPMessage will have a different format each type of operation. For example, an add request protocol operation contains the DN and attributes of the entry to add, while a search request contains all of the criteria to use for that search (the base DN, scope, filter, requested attributes, and other elements).

But most types of LDAP responses look very similar. In fact, the structure of the add, compare, delete, modify, and modify DN response messages are identical, with the exception that the protocolOp element has a different BER type for each kind of operation. The same is true of the search result done protocol operation, although the server may also return zero or more search result entry and search result reference messages before the final search result done message. And the bind response and extended response protocol operations have the same core set of elements, but they may also have additional components not found in the other operation types.

In each of these cases, the basis of the response message is an LDAPResult sequence, which is defined as follows in RFC 4511 section 4.1.9:

LDAPResult ::= SEQUENCE {
     resultCode         ENUMERATED {
          success                      (0),
          operationsError              (1),
          protocolError                (2),
          timeLimitExceeded            (3),
          sizeLimitExceeded            (4),
          compareFalse                 (5),
          compareTrue                  (6),
          authMethodNotSupported       (7),
          strongerAuthRequired         (8),
               -- 9 reserved --
          referral                     (10),
          adminLimitExceeded           (11),
          unavailableCriticalExtension (12),
          confidentialityRequired      (13),
          saslBindInProgress           (14),
          noSuchAttribute              (16),
          undefinedAttributeType       (17),
          inappropriateMatching        (18),
          constraintViolation          (19),
          attributeOrValueExists       (20),
          invalidAttributeSyntax       (21),
               -- 22-31 unused --
          noSuchObject                 (32),
          aliasProblem                 (33),
          invalidDNSyntax              (34),
               -- 35 reserved for undefined isLeaf --
          aliasDereferencingProblem    (36),
               -- 37-47 unused --
          inappropriateAuthentication  (48),
          invalidCredentials           (49),
          insufficientAccessRights     (50),
          busy                         (51),
          unavailable                  (52),
          unwillingToPerform           (53),
          loopDetect                   (54),
               -- 55-63 unused --
          namingViolation              (64),
          objectClassViolation         (65),
          notAllowedOnNonLeaf          (66),
          notAllowedOnRDN              (67),
          entryAlreadyExists           (68),
          objectClassModsProhibited    (69),
               -- 70 reserved for CLDAP --
          affectsMultipleDSAs          (71),
               -- 72-79 unused --
          other                        (80),
          ...  },
     matchedDN          LDAPDN,
     diagnosticMessage  LDAPString,
     referral           [3] Referral OPTIONAL }

And the Referral type is defined in RFC 4511 section 4.1.10 as:

Referral ::= SEQUENCE SIZE (1..MAX) OF uri URI

URI ::= LDAPString     -- limited to characters permitted in
                       -- URIs

The elements of the LDAPResult sequence are as follows:

Examples of Encoded LDAP Results

To illustrate the encoded representation of an LDAP message, we’ll look at a couple of typical response types. The LDAPResult sequence itself is only used in the protocolOp element of an LDAPMessage, but it may have a different BER type for each kind of operation. For example, the AddResponse protocol operation is defined as follows in RFC 4511 section 4.7:

AddResponse ::= [APPLICATION 9] LDAPResult

This indicates that the BER type for the LDAPResult protocol operation for an add operation is 0x69. And the following is an example add response message with a message ID of three, a result code of success, and no matched DN, diagnostic message, referrals, or response controls:

30 0c -- Begin the LDAPMessage sequence
   02 01 03 -- The message ID (integer value 3)
   69 07 -- Begin the add response protocol op
      0a 01 00 -- success result code (enumerated value 0)
      04 00 -- No matched DN (0-byte octet string)
      04 00 -- No diagnostic message (0-byte octet string)

For a second example, let’s change the add response protocol op so that it has a result code of noSuchObject (32), a matched DN of ou=People, dc=example, dc=com, a diagnostic message of “Entry uid=missing1, ou=missing2, ou=People, dc=example, dc=com cannot be created because its parent does not exist.”, and no referral URLs. The encoded representation of that message is:

30 81 9d -- Begin the LDAPMessage sequence
   02 01 03 -- The message ID (integer value 3)
   69 81 97 -- Begin the add response protocol op
      0a 01 20 -- noSuchObject result code (enumerated value 32)
      04 1d 6f 75 3d 50 65 6f 70 6c -- Matched DN
            65 2c 20 64 63 3d 65 78 -- (29-byte octet string)
            61 6d 70 6c 65 2c 20 64
            63 3d 63 6f 6d
      04 73 45 6e 74 72 79 20 75 69 -- Diagnostic message
            64 3d 6d 69 73 73 69 6e -- (115-byte octet string)
            67 31 2c 20 6f 75 3d 6d
            69 73 73 69 6e 67 32 2c
            20 6f 75 3d 50 65 6f 70
            6c 65 2c 20 64 63 3d 65
            78 61 6d 70 6c 65 2c 20
            64 63 3d 63 6f 6d 20 63
            61 6e 6e 6f 74 20 62 65
            20 63 72 65 61 74 65 64
            20 62 65 63 61 75 73 65
            20 69 74 73 20 70 61 72
            65 6e 74 20 64 6f 65 73
            20 6e 6f 74 20 65 78 69
            73 74 2e

This third example demonstrates the encoding for an add response message that includes a referral indicating that the add request should be sent to another directory server. It has a result code of referral (10), no matched DN, a diagnostic message of “This server is read-only. Try a different one.”, and two referral URLs that differ only in the address of the server (the first one to alternate1.example.com and the second to alternate2.example.com):

30 81 cf -- Begin the LDAPMessage sequence
   02 01 03 -- The message ID (integer value 3)
   69 81 c9 -- Begin the add response protocol op
      0a 01 0a -- REFERRAL result code (enumerated value 10)
      04 00 -- No matched DN (0-byte octet string)
      04 2f 54 68 69 73 20 73 65 72 -- Diagnostic message
            76 65 72 20 69 73 20 72 -- (47-byte octet string)
            65 61 64 2d 6f 6e 6c 79
            2e 20 20 54 72 79 20 61
            20 64 69 66 66 65 72 65
            6e 74 20 6f 6e 65 2e
      a3 81 90 -- Begin the referrals sequence
         04 46 6c 64 61 70 3a 2f 2f 61 -- First referral URL
               6c 74 65 72 6e 61 74 65 -- (70-byte octet string)
               31 2e 65 78 61 6d 70 6c
               65 2e 63 6f 6d 3a 33 38
               39 2f 75 69 64 3d 6a 64
               6f 65 2c 6f 75 3d 52 65
               6d 6f 74 65 2c 64 63 3d
               65 78 61 6d 70 6c 65 2c
               64 63 3d 63 6f 6d
         04 46 6c 64 61 70 3a 2f 2f 61 -- Second referral URL
               6c 74 65 72 6e 61 74 65 -- (70-byte octet string)
               32 2e 65 78 61 6d 70 6c
               65 2e 63 6f 6d 3a 33 38
               39 2f 75 69 64 3d 6a 64
               6f 65 2c 6f 75 3d 52 65
               6d 6f 74 65 2c 64 63 3d
               65 78 61 6d 70 6c 65 2c
               64 63 3d 63 6f 6d

Previous: The LDAPMessage Sequence Next: The LDAP Abandon Operation