Mozilla LDAP C SDK Programmer's Guide
Chapter 19 - Result Codes
This chapter lists the result codes that can be returned by functions in the LDAP C SDK. These codes are specified in the LDAP protocol.
For ease of reference, this chapter lists the result codes in two formats:
Result Codes Listed Alphabetically
LDAP_ADMINLIMIT_EXCEEDED
LDAP_AFFECTS_MULTIPLE_DSAS
LDAP_ALIAS_DEREF_PROBLEM
LDAP_ALIAS_PROBLEM
LDAP_ALREADY_EXISTS
LDAP_AUTH_UNKNOWN
LDAP_BUSY
LDAP_CLIENT_LOOP
LDAP_COMPARE_FALSE
LDAP_COMPARE_TRUE
LDAP_CONFIDENTIALITY_REQUIRED
LDAP_CONNECT_ERROR
LDAP_CONSTRAINT_VIOLATION
LDAP_CONTROL_NOT_FOUND
LDAP_DECODING_ERROR
LDAP_ENCODING_ERROR
LDAP_FILTER_ERROR
LDAP_INAPPROPRIATE_AUTH
LDAP_INAPPROPRIATE_MATCHING
LDAP_INDEX_RANGE_ERROR
LDAP_INSUFFICIENT_ACCESS
LDAP_INVALID_CREDENTIALS
LDAP_INVALID_DN_SYNTAX
LDAP_INVALID_SYNTAX
LDAP_IS_LEAF
LDAP_LOCAL_ERROR
LDAP_LOOP_DETECT
LDAP_MORE_RESULTS_TO_RETURN
LDAP_NAMING_VIOLATION
LDAP_NO_MEMORY
LDAP_NO_OBJECT_CLASS_MODS
LDAP_NO_RESULTS_RETURNED
LDAP_NO_SUCH_ATTRIBUTE
LDAP_NO_SUCH_OBJECT
LDAP_NOT_ALLOWED_ON_NONLEAF
LDAP_NOT_ALLOWED_ON_RDN
LDAP_NOT_SUPPORTED
LDAP_OBJECT_CLASS_VIOLATION
LDAP_OPERATIONS_ERROR
LDAP_OTHER
LDAP_PARAM_ERROR
LDAP_PARTIAL_RESULTS
LDAP_PROTOCOL_ERROR
LDAP_REFERRAL
LDAP_REFERRAL_LIMIT_EXCEEDED
LDAP_RESULTS_TOO_LARGE
LDAP_SASL_BIND_IN_PROGRESS
LDAP_SERVER_DOWN
LDAP_SIZELIMIT_EXCEEDED
LDAP_SORT_CONTROL_MISSING
LDAP_STRONG_AUTH_NOT_SUPPORTED
LDAP_STRONG_AUTH_REQUIRED
LDAP_SUCCESS
LDAP_TIMELIMIT_EXCEEDED
LDAP_TIMEOUT
LDAP_TYPE_OR_VALUE_EXISTS
LDAP_UNAVAILABLE
LDAP_UNAVAILABLE_CRITICAL_EXTENSION
LDAP_UNDEFINED_TYPE
LDAP_UNWILLING_TO_PERFORM
LDAP_USER_CANCELLED
Result Codes Listed in Numerical Order
LDAP_SUCCESS
LDAP_OPERATIONS_ERROR
LDAP_PROTOCOL_ERROR
LDAP_TIMELIMIT_EXCEEDED
LDAP_SIZELIMIT_EXCEEDED
LDAP_COMPARE_FALSE
LDAP_COMPARE_TRUE
LDAP_STRONG_AUTH_NOT_SUPPORTED
LDAP_STRONG_AUTH_REQUIRED
LDAP_PARTIAL_RESULTS
LDAP_REFERRAL
LDAP_ADMINLIMIT_EXCEEDED
LDAP_UNAVAILABLE_CRITICAL_EXTENSION
LDAP_CONFIDENTIALITY_REQUIRED
LDAP_SASL_BIND_IN_PROGRESS
LDAP_NO_SUCH_ATTRIBUTE
LDAP_UNDEFINED_TYPE
LDAP_INAPPROPRIATE_MATCHING
LDAP_CONSTRAINT_VIOLATION
LDAP_TYPE_OR_VALUE_EXISTS
LDAP_INVALID_SYNTAX
LDAP_NO_SUCH_OBJECT
LDAP_ALIAS_PROBLEM
LDAP_INVALID_DN_SYNTAX
LDAP_IS_LEAF
LDAP_ALIAS_DEREF_PROBLEM
LDAP_INAPPROPRIATE_AUTH
LDAP_INVALID_CREDENTIALS
LDAP_INSUFFICIENT_ACCESS
LDAP_BUSY
LDAP_UNAVAILABLE
LDAP_UNWILLING_TO_PERFORM
LDAP_LOOP_DETECT
LDAP_SORT_CONTROL_MISSING
LDAP_INDEX_RANGE_ERROR
LDAP_NAMING_VIOLATION
LDAP_OBJECT_CLASS_VIOLATION
LDAP_NOT_ALLOWED_ON_NONLEAF
LDAP_NOT_ALLOWED_ON_RDN
LDAP_ALREADY_EXISTS
LDAP_NO_OBJECT_CLASS_MODS
LDAP_RESULTS_TOO_LARGE
LDAP_AFFECTS_MULTIPLE_DSAS
LDAP_OTHER
LDAP_SERVER_DOWN
LDAP_LOCAL_ERROR
LDAP_ENCODING_ERROR
LDAP_DECODING_ERROR
LDAP_TIMEOUT
LDAP_AUTH_UNKNOWN
LDAP_FILTER_ERROR
LDAP_USER_CANCELLED
LDAP_PARAM_ERROR
LDAP_NO_MEMORY
LDAP_CONNECT_ERROR
LDAP_NOT_SUPPORTED
LDAP_CONTROL_NOT_FOUND
LDAP_NO_RESULTS_RETURNED
LDAP_MORE_RESULTS_TO_RETURN
LDAP_CLIENT_LOOP
LDAP_REFERRAL_LIMIT_EXCEEDED
LDAP_ADMINLIMIT_EXCEEDED
This result code indicates that the "look through limit" on a search operation has been exceeded. When working with the Directory Server, keep in mind the following:
- If you are bound as the root DN, the server sets an infinite "look through limit".
-
If you are not bound as the root DN, the server sets the time
limit to the value specified by the
lookthroughtimelimit
directive in the server'sslapd.conf
configuration file.
The "look through limit" is the maximum number of entries that the server will check when gathering a list of potential search result candidates. See the Directory Server Administrator's Guide for details.
LDAP_AFFECTS_MULTIPLE_DSAS
This result code indicates that the requested operation needs to be performed on multiple servers, where this operation is not permitted. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_ALIAS_DEREF_PROBLEM
This result code indicates that a problem occurred when dereferencing an alias. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_ALIAS_PROBLEM
This result code indicates that a problem occurred when dereferencing an alias. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_ALREADY_EXISTS
This result code indicates that the request is attempting to add an entry that already exists in the directory. The Directory Server sends this result code back to the client in the following situations:
- The request is an add request, and the entry already exists in the directory.
- The request is a modify DN request, and the new DN of the entry already identifies another entry.
- The request is adding an attribute to the schema, and an attribute with the specified name or OID already exists.
LDAP_AUTH_UNKNOWN
This result code indicates that an unknown authentication method
was specified. The LDAP API library sets this result code if
ldap_bind()
or ldap_bind_s()
are called
and an authentication method other than LDAP_AUTH_SIMPLE
is specified. (These functions only allow you to use simple
authentication.)
LDAP_BUSY
This result code indicates that the server is currently too busy to perform the requested operation. At this point in time, neither the LDAP API library nor the Directory Server return this result code.
LDAP_CLIENT_LOOP
This result code indicates that the LDAP client (API library) detected a loop, for example, when following referrals.
LDAP_COMPARE_FALSE
This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is not present in the specified entry.
LDAP_COMPARE_TRUE
This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is present in the specified entry.
LDAP_CONFIDENTIALITY_REQUIRED
This result code indicates that confidentiality is required for the operation. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_CONNECT_ERROR
This result code indicates that the LDAP client cannot establish a connection (or has lost the connection) with the LDAP server.
The LDAP API library sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct hostname and port number and that the server is running.
If you have lost the connection to the server, see "Handling Failover" for instructions on reconnecting to the server.
LDAP_CONSTRAINT_VIOLATION
This result code indicates that a value in the request does not comply with certain constraints. The Directory Server sends this result code back to the client in the following situations:
-
The request adds or modifies the
userpassword
attribute, and one of the following is true:- The server is configured to check the password syntax, and the length of the new password is less than the minimum password length.
-
The server is configured to check the password syntax, and the
new password is the same as one of the values of the
uid
,cn
,sn
,givenname
,ou
, ormail
attributes. - The server is configured to keep a history of previous passwords, and the new password is the same as one of the previous passwords.
- The request is a bind request, and the user is locked out of the account. (For example, the server can be configured to lock a user out of the account after a given number of failed attempts to bind to the server.)
LDAP_CONTROL_NOT_FOUND
This result code indicates that a requested LDAP control was not found.
The LDAP API library sets this result code when parsing a server response for controls and not finding the requested controls. For example:
-
ldap_parse_entrychange_control()
is called, but no entry change notification control is found in the server's response. -
ldap_parse_sort_control()
is called, but no server-side sorting control is found in the server's response. -
ldap_parse_virtuallist_control()
is called, but no virtual list view response control is found in the server's response.
For more information on controls, see Chapter 14 - Working with LDAP Controls.
LDAP_DECODING_ERROR
This result code indicates that the LDAP client encountered an error when decoding the LDAP response received from the server.
LDAP_ENCODING_ERROR
This result code indicates that the LDAP client encountered an error when encoding the LDAP request to be sent to the server.
LDAP_FILTER_ERROR
This result code indicates that an error occurred when specifying the search filter. The LDAP API library sets this result code if it cannot encode the specified search filter in an LDAP search request.
LDAP_INAPPROPRIATE_AUTH
This result code indicates that the type of credentials are not
appropriate for the method of authentication used. The Directory
Server sends this result code back to the client if simple
authentication is used in a bind request, but the entry has no
userpassword
attribute. And if SASL EXTERNAL is
attempted on a non-SSL connection.
LDAP_INAPPROPRIATE_MATCHING
This result code indicates that an extensible match filter in a search request contained a matching rule that does not apply to the specified attribute type. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_INDEX_RANGE_ERROR
This result code indicates that the search results exceeded the range specified by the requested offsets. This result code applies to search requests that contain "virtual list view" controls. For more information on this control, see "Using the Virtual List View Control."
Note that versions of the Directory Server prior to 4.0 do not support the "virtual list view" control.
LDAP_INSUFFICIENT_ACCESS
This result code indicates that the client has insufficient access to perform the operation. Check the user that you are authenticating as and the access control lists for the server.
LDAP_INVALID_CREDENTIALS
This result code indicates that the credentials provided in the request are invalid. The Directory Server sends this result code back to the client if a bind request contains the incorrect credentials for a user or if a user's password has already expired.
LDAP_INVALID_DN_SYNTAX
This result code indicates than an invalid DN has been specified. The Directory Server sends this result code back to the client if an add request or a modify DN request specifies an invalid DN. It also sends this code when an SASL_EXTERNAL bind is attempted but certification to DN mapping fails.
LDAP_INVALID_SYNTAX
This result code indicates that the request contains invalid syntax. The Directory Server sends this result code back to the client in the following situations:
- The server encounters an ACL with invalid syntax.
-
The request attempts to add or modify an
aci
attribute, and the value of the attribute is an ACI with invalid syntax. - The request is a search request with a substring filter, and the syntax of the filter is invalid.
-
The request is a modify request that is attempting to modify the
schema, but no values are provided (for example, the request might
be attempting to delete all values of the
objectclass
attribute).
LDAP_IS_LEAF
This result code indicates that the specified entry is a leaf entry. Currently, Directory Server does not send this result code back to LDAP clients.
LDAP_LOCAL_ERROR
This result code indicates that an error occurred in the LDAP client.
LDAP_LOOP_DETECT
This result code indicates that the server was unable to perform the requested operation because of an internal loop. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_MORE_RESULTS_TO_RETURN
This result code indicates that there are more results in the
chain of results. The LDAP API library sets this result code when
the ldap_parse_sasl_bind_result()
function is called to retrieve the result code of an operation, and
additional result codes from the server are available in the
LDAP structure.
LDAP_NAMING_VIOLATION
This result code indicates that the request violates the structure of the DIT. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_NO_MEMORY
This result code indicates that no memory is available. The LDAP API library sets this result code if a function cannot allocate memory (for example, when creating an LDAP request or an LDAP control).
LDAP_NO_OBJECT_CLASS_MODS
This result code indicates that the request is attempting to modify the object class that should not be modified (for example, a structural object class). Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_NO_RESULTS_RETURNED
This result code indicates that no results were returned from the
server. The LDAP API library sets this result code when the
ldap_parse_result()
function is called but no result code is included in the server's
response.
LDAP_NO_SUCH_ATTRIBUTE
This result code indicates that the specified attribute does not exist in the entry. The Directory Server might send this result code back to the client if, for example, a modify request specifies the modification or removal of a non-existent attribute or if a compare request specifies a non-existent attribute.
LDAP_NO_SUCH_OBJECT
This result code indicates that the server cannot find an entry specified in the request. The Directory Server sends this result code back to the client if it cannot find a requested entry and if it cannot refer your client to another LDAP server.
LDAP_NOT_ALLOWED_ON_NONLEAF
This result code indicates that the requested operation is allowed only on entries that do not have child entries (entries that are "leaf" entries, as opposed to "branch" entries). The Directory Server sends this result code back to the client if the request is a delete request or a modify DN request and the entry is a parent entry. (You cannot delete or move a branch of entries in a single operation.)
LDAP_NOT_ALLOWED_ON_RDN
This result code indicates that the requested operation will
affect the RDN of the entry. The Directory Server sends this result
code back to the client if the request is a modify request and the
request deletes attribute values from the entry that are used in
the RDN of the entry. (For example, if the DN is
"uid=bjensen,ou=People,dc=example,dc=com
", the request
removes the attribute value "uid=bjensen
" from the entry.)
LDAP_NOT_SUPPORTED
This result code indicates that the LDAP client is attempting to use functionality that is not supported. The LDAP API library sets this result code if the client identifies itself as an LDAPv2 client, and the client is attempting to use functionality available in LDAPv3. For example:
- You are passing LDAP controls to a function.
-
You are calling
ldap_extended_operation()
,ldap_extended_operation_s()
, orldap_parse_extended_result()
to request an extended operation or to parse an extended response. -
You are calling
ldap_rename()
orldap_rename_s()
, and you are specifying a new "superior DN" as an argument. -
You are calling
ldap_sasl_bind()
,ldap_sasl_bind_s()
, orldap_parse_sasl_bind_result()
to request SASL authentication or to parse a SASL bind response. -
You are calling
ldap_parse_virtuallist_control()
to parse a virtual list control from the server's response.
If you want to use these features, make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
LDAP_OBJECT_CLASS_VIOLATION
This result code indicates that the request specifies a change to an entry or a new entry that does not comply with the server's schema. The Directory Server sends this result code back to the client in the following situations:
- The request is an add request, and the new entry does not comply with the schema. For example, the new entry does not have all the required attributes, or the entry has attributes that are not allowed in the entry.
- The request is a modify request, and the change will make the entry noncompliant with the schema. For example, the change removes a required attribute or adds an attribute that is not allowed.
Check the server error logs for more information, and check the schema for the type of entry that you are adding or modifying.
LDAP_OPERATIONS_ERROR
This is a general result code indicating that an error has occurred. The Directory Server might send this code if, for example, memory cannot be allocated on the server.
To troubleshoot this type of error, check the server's error logs. You may need to increase the log level of the server to get additional information.
LDAP_OTHER
This result code indicates than an unknown error has occurred. At this point in time, neither the LDAP API library nor the Directory Server return this result code.
LDAP_PARAM_ERROR
This result code indicates that an invalid parameter was specified.
The LDAP API library sets this result code if a function was called
and invalid parameters were specified (for example, if the
LDAP structure is NULL
).
LDAP_PARTIAL_RESULTS
The Directory Server sends this result code to LDAPv2 clients to refer them to another LDAP server. When sending this code to a client, the server includes a newline-delimited list of LDAP URLs that identify another LDAP server.
If the client identifies itself as an LDAPv3 client in the request,
the Directory Server sends an
LDAP_REFERRAL
result code
instead of this result code.
LDAP_PROTOCOL_ERROR
This result code indicates that the LDAP client's request does not comply with the LDAP protocol. The Directory Server sends this result code back to the client in the following situations:
- The server cannot parse the incoming request.
- The request specifies an attribute type that uses a syntax not supported by the server.
- The request is a SASL bind request, but your client identifies itself as an LDAPv2 client. Make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
- The request is a bind request that specifies an unsupported version of the LDAP protocol. Make sure to specify that your LDAP client is either an LDAPv2 client or an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
- The request is an add or a modify request that specifies the addition of an attribute type to an entry, but no values are specified.
-
The request is a modify request, and one of the following is true:
-
An unknown modify operation is specified (an operation other
than
LDAP_MOD_ADD
,LDAP_MOD_DELETE
, andLDAP_MOD_REPLACE
). - No modifications are specified.
-
An unknown modify operation is specified (an operation other
than
-
The request is a modify DN request, and one of the following is
true:
- The new RDN is not a valid RDN.
- A new superior DN is specified, but your client identifies itself as an LDAPv2 client.
- The request is a search request, and one of the following is true:
-
An unknown scope is specified (a scope other than
LDAP_SCOPE_BASE
,LDAP_SCOPE_ONELEVEL
, andLDAP_SCOPE_SUBTREE
). - An unknown filter type is specified.
-
The filter type
LDAP_FILTER_GE
orLDAP_FILTER_LE
is specified, but the type of attribute contains values that cannot be ordered. (For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.) - The request contains an extensible filter (a filter using matching rules), but your client identifies itself as an LDAPv2 client. (Make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client.")
- The request contains an extensible filter (a filter using matching rules), but the matching rule is not supported by the server.
-
The request is a search request with a server-side sorting control,
and one of the following is true:
- The server does not have a syntax plug-in that supports the attribute used for sorting.
- The syntax plug-in does not have a function for comparing values of the attribute. (This compare function is used for sorting.)
- The type of attribute specified for sorting contains values that cannot be sorted in any order. For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.
- The server encounters an error when creating the sorting response control (the control to be sent back to the client).
- When sorting the results, the time limit or the "look through limit" is exceeded. The "look through limit" is the maximum number of entries that the server will check when gathering a list of potential search result candidates.
- The request is an extended operation request, and the server does not support that extended operation. In the Netscape Directory Server, extended operations are supported through extended operation server plug-ins. Make sure that the server is loading a plug-in that supports the extended operation. Check the OID of the extended operation in your LDAP client to make sure that it matches the OID of the extended operation registered in the server plug-in. For more information on extended operation server plug-ins, see the Netscape Directory Server Plug-In Programmer's Guide.
-
An authentication method other than
LDAP_AUTH_SIMPLE
orLDAP_AUTH_SASL
is specified.
To troubleshoot this type of error, check the server's error logs. You may need to increase the log level of the server to get additional information.
LDAP_REFERRAL
This result code indicates that the server is referring the
client to another LDAP server. When sending this code to a client,
the server includes a list of LDAP URLs that identify another LDAP
server. This result code is part of the LDAPv3 protocol. For LDAPv2
clients, the Directory Server sends an
LDAP_PARTIAL_RESULTS
result code instead.
LDAP_REFERRAL_LIMIT_EXCEEDED
This result code indicates that the "referral hop limit" was exceeded. The LDAP API library sets this result code when following referrals, if the client is referred to other servers more times than allowed by the "referral hop limit". For more information about the "referral hop limit", see "Limiting Referral Hops."
LDAP_RESULTS_TOO_LARGE
This result code indicates that the results of the request are too large. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_SASL_BIND_IN_PROGRESS
This result code is used in multi-stage SASL bind operations. The server sends this result code back to the client to indicate that the authentication process has not yet completed. For more information on SASL authentication, see Chapter 13 - Using SASL Authentication.
LDAP_SERVER_DOWN
This result code indicates that the LDAP API library cannot establish a connection (or lost the connection) with the LDAP server. The LDAP API library sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct hostname and port number and that the server is running.
If you have lost the connection to the server, see "Handling Failover" for instructions on reconnecting to the server.
LDAP_SIZELIMIT_EXCEEDED
This result code indicates that the maximum number of search results to return has been exceeded. The size limit is specified in the search request. If you specify no size limit, the server will set the time limit.
When working with the Directory Server, keep in mind the following:
- If you are bound as the root DN and specify no size limit, the server enforces no size limit at all.
-
If you are not bound as the root DN and specify no size limit, the
server sets the size limit to the value specified by the
sizelimit
directive in the server'sslapd.conf
configuration file. -
If the size limit that you specify exceeds the value specified by
the
sizelimit
directive in the server'sslapd.conf
configuration file, the server uses the size limit specified in the configuration file.
LDAP_SORT_CONTROL_MISSING
This result code indicates that server did not receive a required server-side sorting control. The Directory Server 4.0 sends this result code back to the client if the server receives a search request with a "virtual list view" control but no server-side sorting control.
The "virtual list view" control requires a server-side sorting control. For more information on this control, see "Using the Virtual List View Control." Note that versions of the Directory Server prior to 4.0 do not support the "virtual list view" control.
LDAP_STRONG_AUTH_NOT_SUPPORTED
This result code is returned as the result of a bind operation. This code indicates that the server does not recognize or support the specified authentication method.
LDAP_STRONG_AUTH_REQUIRED
This result code indicates that a stronger method of authentication is required to perform the operation. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_SUCCESS
This result code indicates that the LDAP operation was successful.
LDAP_TIMELIMIT_EXCEEDED
This result code indicates that the time limit on a search operation has been exceeded. The time limit is specified in the search request. If you specify no time limit, the server will set the time limit. When working with the Directory Server, keep in mind the following:
- If you are bound as the root DN and specify no time limit, the server enforces no size limit at all.
-
If you are not bound as the root DN and specify no time limit, the
server sets the time limit to the value specified by the
timelimit
directive in the server'sslapd.conf
configuration file. -
If the time limit that you specify exceeds the value specified by
the
timelimit
directive in the server'sslapd.conf
configuration file, the server uses the time limit specified in the configuration file.
LDAP_TIMEOUT
This result code indicates that the LDAP client timed out while waiting for a response from the server. The LDAP API library sets this result code in the LDAP structure if the timeout period (for example, in a search request) has been exceeded and the server has not responded.
LDAP_TYPE_OR_VALUE_EXISTS
This result code indicates that the request attempted to add an attribute type or value that already exists. The Directory Server sends this result code back to the client in the following situations:
- The request attempts to add values that already exist in the attribute.
- The request is adding an attribute to the schema of the server, but the OID of the attribute is already used by an object class in the schema.
-
The request is adding an object class to the schema of the server,
and one of the following occurs:
- The object class already exists.
- The OID of the object class is already used by another object class or an attribute in the schema.
- The superior object class for this new object class does not exist.
LDAP_UNAVAILABLE
This result code indicates that the server is unavailable to perform the requested operation. At this point in time, neither the LDAP API library nor the Directory Server return this result code.
LDAP_UNAVAILABLE_CRITICAL_EXTENSION
This result code indicates that the specified control or matching rule is not supported by the server. The Directory Server might send back this result code if the request includes an unsupported control or if the filter in the search request specifies an unsupported matching rule.
LDAP_UNDEFINED_TYPE
This result code indicates that the request specifies an undefined attribute type. Currently, the Directory Server does not send this result code back to LDAP clients.
LDAP_UNWILLING_TO_PERFORM
This result code indicates that the server is unwilling to perform to requested operation. The Directory Server sends this result code back to the client in the following situations:
- The client has logged in for the first time and needs to change its password, but the client is requesting to perform other LDAP operations. In this situation, the result code is accompanied by an expired password control. For details, see "Using Password Policy Controls."
- The NT Synch Service is running, and an operation is "vetoed" by the service.
- The request is a modify DN request, and a "superior DN" is specified. (At this point in time, the Directory Server does not support the ability to use the modify DN operation to move an entry from one location in the directory tree to another location.)
- The database is in read-only mode, and the request attempts to write to the directory.
- The request is a delete request that attempts to delete the root DSE.
- The request is a modify DN request that attempts to modify the DN of the root DSE.
-
The request is a modify request to modify the schema entry, and
one of the following occurs:
-
The operation is
LDAP_MOD_REPLACE
. (The server does not allow you to replace schema entry attributes.) - The request attempts to delete an object class that is the parent of another object class.
- The request attempts to delete a read-only object class or attribute.
-
The operation is
- The server uses a database plug-in that does not implement the operation specified in the request. For example, if the database plug-in does not implement the add operation, sending an add request will return this result code.
LDAP_USER_CANCELLED
This result code indicates that the user cancelled the LDAP operation. Currently, the Directory Server does not send this result code back to LDAP clients.