The core LDAPv3 specification in RFC 4511 defines a number of result codes that are intended to be used in LDAP responses. This chapter describes each of those result codes, the types of operations for which that result code may be returned, and some of the potential causes for it. However, it does not attempt to provide every possible cause for every result code, since different directory servers have different capabilities, and some servers use different result codes for the same purpose. Further, because LDAP is an extensible protocol, and especially because it provides support for controls and extended operations, there may be yet-to-be-created conditions that warrant the use of a particular result code for an unexpected type of operation.
Applicable operation types: add, bind, delete, extended, modify, modify DN, search
The success result code is used to indicate that the associated operation completed successfully. At least for some definition of success. It doesn’t necessarily mean that every single part of the operation completed exactly as intended. For example, if the request included a non-critical control that the server couldn’t honor for some reason, then it’s acceptable for the server to proceed as if the control hadn’t been included in the request and to return a response with the success result code if it completed all of the processing not related to that control.
For an add operation, the success result code indicates that the provided entry was created in the DIT.
For a bind operation, the success result code indicates that the provided credentials were valid, that the client connection was successfully authenticated as the target account, and that any requested authorization was applied.
For a delete operation, a success result code indicates that the targeted entry was removed.
For an extended operation, a success result code indicates that whatever processing is indicated for the associated request was completed without error. However, not all types of extended operations use the success result code for this purpose (for example, the cancel extended operation uses the canceled (118) result code to indicate that the target operation was successfully canceled). Just because an extended operation doesn’t return a result code of success doesn’t mean that an error occurred, so you should make sure that you understand the expected behavior for any extended operation that you expect to use.
For a modify operation, a success result code indicates that the request changes were applied to the targeted entry.
For a modify DN operation, a success result code indicates that the targeted entry was renamed or moved.
For a search operation, a success result code indicates that all appropriate search results were returned. There may have been matching entries (or attributes within matching entries) that weren’t returned because the client wasn’t permitted to access them or because they were otherwise outside the bounds of the search constraints.
Compare operations should never use the success result code. A compare operation that completes successfully should return either compareTrue (6) if the assertion matched or compareFalse (5) if it did not.
Applicable operation types: add, compare, delete, extended, modify, modify DN, search
The operationsError result code indicates that the operation could not be processed because it wasn’t in the expected order relative to other operations on the same connection. Some of the reasons that the server might return a response with an operationsError result code include:
Some directory servers incorrectly use the operationsError result code as if it meant “server error”. This isn’t the intended use for the operationsError result code, and the other (80) result code is the correct one to use for this purpose, but some servers do it nonetheless.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The protocolError result code indicates that there was a problem with the client’s use of the LDAP protocol. Some of the possible causes for the protocolError result code are:
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The timeLimitExceeded result code indicates that the associated operation failed because it hadn’t completed by the time a maximum processing time limit had been reached. This result code can technically be returned in response to any kind of operation, but it’s most commonly used for searches because they have the most potential to take a very long time to complete (especially if the search matches a large number of entries or if the server doesn’t have the indexes necessary to process the request efficiently) and because only search requests allow the client to specify an upper bound for how long it wants the server to spend processing the operation.
Even though the client can specify the desired time limit in the search request, directory servers generally treat this as an upper bound. The server may impose its own time limit for the operation, and that time limit may be more restrictive than the one the client requested.
If a search operation fails with a timeLimitExceeded result code, then the server may have already returned a subset of the entries matching the search criteria. However, the client should not assume that this is the complete set of matching entries, and should not necessarily assume that they were returned in any particular order (unless the search request included a critical server-side sort request control).
The timeLimitExceeded result code may also be used in cases where the request is received by one LDAP server (or LDAP proxy server), and is then forwarded on to another server for processing. In the event the backend server takes too long to respond to this request, the intermediate server may give up and return a response with a timeLimitExceeded result code. If the requested operation is intended to alter the contents of the server, then the associated changes may or may not eventually be applied.
Applicable operation types: search
The sizeLimitExceeded result code indicates that the associated search operation failed because the server has determined that the number of entries that would be returned in response to the search would exceed the upper bound for that operation.
As with the timeLimitExceeded (3) result code, every search request includes an element that specifies the maximum size limit that the client wants to use, but the server may impose its own limit that is lower than the limit requested by the client. And the server may or may not have already returned some number of entries before encountering the size limit.
Applicable operation types: compare
The compareFalse result code indicates that the associated compare request targeted an entry that exists and that contains the targeted attribute, but does not have any value that matches the provided assertion value.
Applicable operation types: compare
The compareTrue result code indicates that the associated compare request targeted an entry that exists and that contains the targeted attribute with a value that matches the provided assertion value.
Applicable operation types: bind
The authMethodNotSupported result code indicates that the associated bind operation failed because the client attempted to authenticate with a mechanism that the server does not support or that it does not allow the client to use. This result code can be returned in response to a simple bind request if the server does not permit simple authentication. It can be returned in response to a SASL bind request if the server does not support the requested SASL mechanism, or if the client is not allowed to authenticate with that SASL mechanism.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The strongerAuthRequired (formerly strongAuthRequired) result code indicates that the server requires the client to authenticate with a stronger form of authentication.
If the strongerAuthRequired result code is received in response to a bind request, it indicates that the server requires a stronger form of authentication for that client. The client should try authenticating with a stronger mechanism.
If the strongerAuthRequired result code is received in response to some other type of request, it indicates that the requested operation is only allowed for clients that have completed some stronger form of authentication. The client should try authenticating with a stronger mechanism, and then re-submit the request that triggered this result code.
If the strongerAuthRequired result code is received in a notice of disconnection unsolicited notification, it indicates that the server believes that the security of the communication channel between the client and the server has failed or become compromised, and is terminating the connection as a result. The client should establish a new connection and negotiate a new security layer for that connection.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The referral result code indicates that the request cannot be processed exactly as issued, but that it might succeed if re-issued to a different server, or is updated to target a different location in the DIT. If the client supports following referrals, then it shouldn’t treat this as an error, but rather as an indication that the request needs to be tried again based on the information contained in the referral.
Some of the reasons that the server might return a response with the referral result code are:
When processing a search operation, the referral result code should only be used when locating the base entry for the search (for example, if the search base DN references an entry known to be in a portion of the DIT housed elsewhere, or if it resides at or below a smart referral entry). If the entry targeted by the search base DN is held locally but one or more portions of the search scope might require the client to issue the search elsewhere, then those referral URIs should be returned to the client in the form of search result reference messages.
It is also possible that the referral result code could be returned in response to a bind request. If the referral URIs indicate that the client should send the bind request to a different server, then it is generally recommended that the client send all subsequent operations to the same server targeted by the bind referral. If a client follows a bind referral to a different server, then the original server will not have any knowledge of that bind attempt, and its authentication state will not have been updated to reflect the success or failure of the bind in the other server.
Clients must be aware of the possibility that a request sent in response to a referral could itself yield another referral. This could happen, for example, if the server that returned the previous referral had outdated information about the location of the targeted entry, or if the referral targeted a server that was temporarily unable to process the request. Any client that supports following referrals should be prepared to receive nested referrals, and should also have some mechanism for detecting and avoiding referral loops (in which one referral contains a URI that indicates that the client should send a request that it has already sent). This could be accomplished by ensuring that the client remembers all of the request details for each attempt at processing a given operation, and having that client abort if it would send a request that it has already sent. Alternately, it could be accomplished by maintaining a counter that is to be incremented each time the client follows a referral and having the client abort if the counter reaches a specified value. RFC 4511 section 4.1.10 indicates that a client must be able to handle at least ten nested referrals (but honestly, that seems pretty excessive).
If the client detects a referral loop, then it should use the clientLoop (96) client-side result code. If the server detects a referral loop (for example, when attempting to automatically follow a referral on behalf of the client), then the loopDetect (54) result code is more appropriate.
Referrals are described in detail in RFC 4511 section 4.1.10, including the behavior that clients should exhibit when encountering referrals. The basic rules are:
Other considerations for following referrals include:
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The adminLimitExceeded result code indicates that some administrative limit within the server was exceeded while processing the request. RFC 4511 does not provide any specific guidance on when this result code might be returned, but draft-just-ldapv3-rescodes suggests that a server might return it if there is some upper bound on the number of entries that it will examine in the course of processing a search. In fact, several directory servers do enforce such a limit, and that limit is often referred to as a lookthrough limit.
Another instance in which this result code might be returned would be in the case of a server that supports the subtree delete request control as described in draft-armijo-ldap-treedelete. If the server imposes an upper limit on the size of a subtree that may be deleted, then the server may return the adminLimitExceeded result code when trying to delete a subtree that contains more than that number of entries.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The unavailableCriticalExtension result code indicates that the request includes a control with a criticality of true, but that control could not be honored for some reason. Some of the potential causes for this result code include:
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The confidentialityRequired result code indicates that the server is only willing to process the requested operation if it is received over a secure connection that does not allow an eavesdropper to decipher or alter the contents of the request or response. For example, a server may only permit operations that involve clear-text passwords (like a simple bind request or a password modify extended request) to be requested over a secure connection and could return this result code in response to an attempt to send a clear-text password over an insecure connection.
If a client receives the confidentialityRequired result code, then it should take steps to secure the existing connection (for example, using the StartTLS extended operation, or by binding with a SASL mechanism that supports the auth-conf quality of protection), or to establish a new secure connection (for example, using a TLS-based connection) before re-sending the request.
Applicable operation types: bind
The saslBindInProgress result code indicates that the server has completed a portion of the processing for the provided SASL bind request, but that it needs additional information from the client to complete the authentication. Certain SASL mechanisms, like CRAM-MD5, DIGEST-MD5, and GSSAPI, require multiple stages of processing and therefore require multiple request-response cycles with the server, and the saslBindInProgress result code is used in all bind responses except for the last one in the sequence (which will indicate whether the bind succeeded or failed).
This is not an error result, but it does mean that the client needs to send another bind request with the same SASL mechanism and additional credentials. The client must not send any other requests on the connection until it has sent a bind request and the server has returned a bind response with a non-saslBindInProgress result code. If a client sends any other kind of request in the middle of a multi-stage SASL bind, the server should reject that request with an operationsError (1) result code.
Applicable operation types: compare, modify
The noSuchAttribute result code indicates that the request targeted an attribute that does not exist in the specified entry.
For a compare request, it indicates that the targeted entry exists, but does not have any values for the attribute used in the compare assertion.
For a modify request, it indicates that the request attempted to delete one or more attribute values that don’t exist in the targeted entry, that the request attempted to delete an entire attribute that does not have any values in the targeted entry, or that attempted to increment the value of an attribute that does not have any values in the targeted entry.
Applicable operation types: add, modify
The undefinedAttributeType result code indicates that the request attempted to provide one or more values for an attribute type that is not defined in the server schema.
For an add request, it indicates that the provided entry included an attribute for which there is no corresponding attribute type definition in the schema.
For a modify request, it indicates that a modification attempted to add one or more values, or to replace the entire set of values, for an attribute type that is not defined in the server schema.
Applicable operation types: search
The inappropriateMatching result code indicates that the search request tried to perform some type of matching that is not supported for the target attribute type. Some of the potential causes for this result code include:
Applicable operation types: add, modify, modify DN
The constraintViolation result code indicates that the requested operation would have resulted in an entry that violates some constraint defined within the server. Some of the potential causes for this result code are:
Applicable operation types: add, modify
The attributeOrValueExists result code indicates that the requested operation would have resulted in an attribute in which the same value appeared more than once.
For an add request, it indicates that at least one of the attributes in the provided entry had a duplicate value.
For a modify request, it indicates that either an add or replace modification included the same value multiple times, or that an add modification attempted to add a value that already exists in the entry.
Applicable operation types: add, modify
The invalidAttributeSyntax result code indicates that the requested add or modify operation would have resulted in an entry that had at least one attribute value that does not conform to the constraints of the associated attribute syntax.
Applicable operation types: add, compare, delete, extended, modify, modify DN, search
The noSuchObject result code indicates that the requested operation targeted an entry that does not exist within the DIT.
For an add request, it means that the immediate parent of the entry to be added does not exist and that the DN of the entry to be added does not match any of the configured naming contexts.
For a compare, delete, or modify request, it indicates that the targeted entry does not exist.
For a modify DN request, it indicates that either the targeted entry does not exist, or that the provided new superior DN references an entry that does not exist.
For a search request, it indicates that the entry targeted by the search base DN does not exist.
The noSuchObject result code is not supposed to be returned in response to a bind operation. The invalidCredentials (49) result code should be used when the bind request targets an entry that does not exist, but some directory servers are known to incorrectly use the noSuchObject result code in this case.
A response that includes the noSuchObject result code may also include a matched DN to specify the DN of the nearest ancestor to the provided DN that does exist in the DIT. For example, if a modify request targets the nonexistent uid=missing,ou=People,dc=example,dc=com entry, but the ou=People,dc=example,dc=com entry does exist, then the modify response should have a result code of noSuchObject and a matched DN of ou=People,dc=example,dc=com. However, if none of the ancestors for the targeted entry exist in the DIT, or if the client does not have permission to access any of those ancestor entries, then the matched DN should be omitted from the response.
Applicable operation types: search
The aliasProblem result code indicates that a problem occurred while attempting to dereference an alias during search processing. For example, it may be used if an alias is encountered that references an entry that does not exist. In such cases, the search result done response may also include a matched DN that specifies the nearest ancestor to the dereferenced entry that does exist in the DIT.
Aliases are only to be dereferenced in the course of processing a search operation, so this result code does not apply to any other type of operation. If an alias-related problem is encountered for any other type of operation (for example, if a non-search operation targets an entry that is an alias), then the aliasDereferencingProblem (36) result code should be used.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The invalidDNSyntax result code indicates that the request included a malformed entry DN. It may indicate that the provided DN does not conform to the syntax specified in RFC 4514, or that one or more of the attribute values included in the DN does not conform to the associated attribute syntax.
For an add, compare, delete, or modify request, it indicates that the provided target entry DN is malformed.
For a simple bind request, it indicates that the provided target entry DN is malformed. For a SASL bind request, it indicates that the authentication or authorization identity was specified using a malformed DN.
For a modify DN request, this indicates that at least one of the target entry DN, the new RDN, or the new superior DN is malformed.
For a search request, it indicates that the search base DN is malformed.
In the event that the server is able to partially decode the provided DN, the response may also include a matched DN that specifies the nearest ancestor to the decodable portion of the DN that does exist within the server and that the requester has permission to access.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The aliasDereferencingProblem result code indicates that the server encountered an alias while processing the request and that there was some problem related to that alias.
The draft-just-ldapv3-rescodes draft suggests that this result code should only be returned for a search operation, especially if the client does not have permission to access the aliased entry, or if the client does not have permission to access the aliasedObjectName attribute in the alias entry. However, RFC 4511 also suggests that it may be returned in the event that an operation targets an alias entry in a manner that is not allowed. For example, aliases are not allowed to be dereferenced when processing non-search operations, so the aliasDereferencingProblem result code may be used to indicate that the targeted DN matched or was subordinate to the DN of an alias entry.
Applicable operation types: bind
The inappropriateAuthentication result code indicates that the client attempted to bind in an inappropriate manner that is inappropriate for the target account. Some possible reasons for this result code include:
Applicable operation types: bind
The invalidCredentials result code indicates that the client attempted to bind with a set of credentials that cannot be used to authenticate. Some of the potential reasons that this result code might be returned are:
Applicable operation types: add, compare, delete, extended, modify, modify DN, search
The insufficientAccessRights result code indicates that the client requested an operation for which it does not have the necessary access control permissions, with the following caveats:
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The busy result code indicates that the requested operation cannot be processed because the server is currently too busy. The client may wish to re-submit the request at a later time or send it to a different server.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The unavailable result code indicates that the server is currently not available to process the requested operation. Some of the uses for this result code include:
If a client receives an unavailable result, it may wish to re-submit the request at a later time or send it to a different server.
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The unwillingToPerform result code indicates that the server is not willing to process the requested operation for some reason. This is a fairly generic result code that may be used if the server refuses to process an operation for a reason that is not covered by a more specific result code. If there is a more specific result code, then that should be used instead. For example, if the client doesn’t have the necessary access control permissions that the operation requires, the server should return insufficientAccessRights (50) instead of unwillingToPerform.
There are many potential causes for this result code. Some of them include:
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The loopDetect result code indicates that the server detected some kind of circular reference in the course of processing an operation. Some of the potential causes for this result code are:
In some cases, the server may use the loopDetect result code even if it hasn’t actually detected a loop. For example, some servers use a counter to keep track of the number of hops they’ve had to make when following a reference, and may assume that there’s a loop if the number of hops would exceed some maximum.
Applicable operation types: add, modify DN
The namingViolation result code indicates that the requested add or modify DN operation would have resulted in an entry that violates some naming constraint within the server. Some of the potential causes for this result code are:
Applicable operation types: add, modify, modify DN
The objectClassViolation result code indicates that the requested operation would have resulted in an entry that has an inappropriate set of object classes, or whose attributes violate the constraints associated with its set of object classes. Some of the possible reasons for this include:
Applicable operation types: delete, modify DN
The notAllowedOnNonLeaf result code indicates that the requested operation is only supported for leaf entries, but the targeted entry has one or more subordinates.
For a delete request, this indicates that the targeted entry has one or more subordinate entries. Under normal circumstances, a delete request is only allowed to remove leaf entries, although some servers may provide support for a control (like the one described in draft-armijo-ldap-treedelete) that allow removing an entry and all of its subordinates in a single request.
For a modify DN request, this indicates that the targeted entry has one or more subordinate entries and that the server does not support moving or renaming entries with subordinates. Some servers do support this capability, but others do not.
Applicable operation types: modify
The notAllowedOnNonRDN result code indicates that the requested modify operation would have resulted in an entry that does not include all of the attributes used in its RDN. The following modification types are not allowed:
If you wish to remove an attribute value from an entry, but that value is used in the entry’s RDN, you should use a modify DN request that specifies a new RDN that does not use that value, and whose “delete old RDN” flag is set to true. Standard LDAP does not provide a single type of operation that allows altering both an entry’s DN and other attributes in the entry that are not included in its DN, although some types of directory servers may provide some way to accomplish this in an atomic manner. For example, if a server supports LDAP transactions as described in RFC 5805, then a transaction may include both a modify DN request to update the entry’s DN and a modify request to make other changes to the entry’s attribute values.
Applicable operation types: add, modify DN
The entryAlreadyExists result code indicates that the requested operation would have resulted in an entry with the same DN as an entry that already exists in the server.
For an add request, it means that the server already contains an entry whose DN matches the DN contained in the request.
For a modify DN request without a new superior DN, it means that the server already contains an entry below the same parent of the targeted entry whose RDN matches the new RDN contained in the request.
For a modify DN request with a new superior DN, it means that the server already contains an entry below the specified new superior DN whose RDN matches the new RDN contained in the request.
Applicable operation types: modify
The objectClassModsProhibited result code indicates that the requested modify operation would have altered the target entry’s set of object classes in a way that is not supported. This is typically returned in response to a modify request that would cause the target entry to have a different structural object class.
Changing an entry’s structural object class is technically permitted by LDAP, but many servers do not support it because it can require a substantial amount of validation effort to ensure that the changes do not violate any constraints. In addition to all of the validation normally associated with a modify operation, changing an entry’s structural object class requires the following additional validation:
- Identifying the new DIT content rule (if any) that applies to the entry and ensuring that all of its constraints are satisfied, including required attribute types, prohibited attribute types, and permitted auxiliary object classes.
- Identifying the new name form (if any) that applies to the entry and ensuring that the entry’s RDN satisfies all of its constraints, including ensuring that the RDN has all required attribute types and does not include any attribute types that are not permitted.
- Identifying the DIT structure rule (if any) that applies to the entry and ensuring that the entry is still permitted to exist beneath its parent.
- Identifying the DIT structure rules (if any) that apply to each of the entry’s subordinates and ensuring that they are still permitted to exist beneath the entry.
Applicable operation types: add, delete, extended, modify, modify DN
The affectsMultipleDSAs result code indicates that the requested operation would have required manipulating information in multiple servers in a way that is not supported. Some of the potential conditions in which you might see this result code are:
Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search
The other result code is used when a problem occurs for which none of the other result codes is more appropriate. It is the correct result code to use in the event that an internal error occurs within the server (although some servers mistakenly use operationsError (1) for this purpose), but the other result code may be used for additional kinds of problems as well.
| Previous: The Elements of an LDAP Operation Response Message | Next: Other Server-Side Result Codes |