You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.

Mozilla LDAP C SDK Programmer's Guide

Chapter 19 - Result Codes

This chapter lists the result codes that can be returned by functions in the LDAP C SDK. These codes are specified in the LDAP protocol.

For ease of reference, this chapter lists the result codes in two formats:

Result Codes Listed Alphabetically

Result Codes Listed in Numerical Order

LDAP_ADMINLIMIT_EXCEEDED

This result code indicates that the "look through limit" on a search operation has been exceeded. When working with the Directory Server, keep in mind the following:

If you are bound as the root DN, the server sets an infinite "look through limit".
If you are not bound as the root DN, the server sets the time limit to the value specified by the lookthroughtimelimit directive in the server's slapd.conf configuration file.

The "look through limit" is the maximum number of entries that the server will check when gathering a list of potential search result candidates. See the Directory Server Administrator's Guide for details.

LDAP_AFFECTS_MULTIPLE_DSAS

This result code indicates that the requested operation needs to be performed on multiple servers, where this operation is not permitted. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_ALIAS_DEREF_PROBLEM

This result code indicates that a problem occurred when dereferencing an alias. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_ALIAS_PROBLEM

This result code indicates that a problem occurred when dereferencing an alias. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_ALREADY_EXISTS

This result code indicates that the request is attempting to add an entry that already exists in the directory. The Directory Server sends this result code back to the client in the following situations:

The request is an add request, and the entry already exists in the directory.
The request is a modify DN request, and the new DN of the entry already identifies another entry.
The request is adding an attribute to the schema, and an attribute with the specified name or OID already exists.

LDAP_AUTH_UNKNOWN

This result code indicates that an unknown authentication method was specified. The LDAP API library sets this result code if ldap_bind() or ldap_bind_s() are called and an authentication method other than LDAP_AUTH_SIMPLE is specified. (These functions only allow you to use simple authentication.)

LDAP_BUSY

This result code indicates that the server is currently too busy to perform the requested operation. At this point in time, neither the LDAP API library nor the Directory Server return this result code.

LDAP_CLIENT_LOOP

This result code indicates that the LDAP client (API library) detected a loop, for example, when following referrals.

LDAP_COMPARE_FALSE

This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is not present in the specified entry.

LDAP_COMPARE_TRUE

This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is present in the specified entry.

LDAP_CONFIDENTIALITY_REQUIRED

This result code indicates that confidentiality is required for the operation. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_CONNECT_ERROR

This result code indicates that the LDAP client cannot establish a connection (or has lost the connection) with the LDAP server.

The LDAP API library sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct hostname and port number and that the server is running.

If you have lost the connection to the server, see "Handling Failover" for instructions on reconnecting to the server.

LDAP_CONSTRAINT_VIOLATION

This result code indicates that a value in the request does not comply with certain constraints. The Directory Server sends this result code back to the client in the following situations:

The request adds or modifies the userpassword attribute, and one of the following is true:
- The server is configured to check the password syntax, and the length of the new password is less than the minimum password length.
- The server is configured to check the password syntax, and the new password is the same as one of the values of the uid, cn, sn, givenname, ou, or mail attributes.
- The server is configured to keep a history of previous passwords, and the new password is the same as one of the previous passwords.
The request is a bind request, and the user is locked out of the account. (For example, the server can be configured to lock a user out of the account after a given number of failed attempts to bind to the server.)

LDAP_CONTROL_NOT_FOUND

This result code indicates that a requested LDAP control was not found.

The LDAP API library sets this result code when parsing a server response for controls and not finding the requested controls. For example:

ldap_parse_entrychange_control() is called, but no entry change notification control is found in the server's response.
ldap_parse_sort_control() is called, but no server-side sorting control is found in the server's response.
ldap_parse_virtuallist_control() is called, but no virtual list view response control is found in the server's response.

For more information on controls, see Chapter 14 - Working with LDAP Controls.

LDAP_DECODING_ERROR

This result code indicates that the LDAP client encountered an error when decoding the LDAP response received from the server.

LDAP_ENCODING_ERROR

This result code indicates that the LDAP client encountered an error when encoding the LDAP request to be sent to the server.

LDAP_FILTER_ERROR

This result code indicates that an error occurred when specifying the search filter. The LDAP API library sets this result code if it cannot encode the specified search filter in an LDAP search request.

LDAP_INAPPROPRIATE_AUTH

This result code indicates that the type of credentials are not appropriate for the method of authentication used. The Directory Server sends this result code back to the client if simple authentication is used in a bind request, but the entry has no userpassword attribute. And if SASL EXTERNAL is attempted on a non-SSL connection.

LDAP_INAPPROPRIATE_MATCHING

This result code indicates that an extensible match filter in a search request contained a matching rule that does not apply to the specified attribute type. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_INDEX_RANGE_ERROR

This result code indicates that the search results exceeded the range specified by the requested offsets. This result code applies to search requests that contain "virtual list view" controls. For more information on this control, see "Using the Virtual List View Control."

Note that versions of the Directory Server prior to 4.0 do not support the "virtual list view" control.

LDAP_INSUFFICIENT_ACCESS

This result code indicates that the client has insufficient access to perform the operation. Check the user that you are authenticating as and the access control lists for the server.

LDAP_INVALID_CREDENTIALS

This result code indicates that the credentials provided in the request are invalid. The Directory Server sends this result code back to the client if a bind request contains the incorrect credentials for a user or if a user's password has already expired.

LDAP_INVALID_DN_SYNTAX

This result code indicates than an invalid DN has been specified. The Directory Server sends this result code back to the client if an add request or a modify DN request specifies an invalid DN. It also sends this code when an SASL_EXTERNAL bind is attempted but certification to DN mapping fails.

LDAP_INVALID_SYNTAX

This result code indicates that the request contains invalid syntax. The Directory Server sends this result code back to the client in the following situations:

The server encounters an ACL with invalid syntax.
The request attempts to add or modify an aci attribute, and the value of the attribute is an ACI with invalid syntax.
The request is a search request with a substring filter, and the syntax of the filter is invalid.
The request is a modify request that is attempting to modify the schema, but no values are provided (for example, the request might be attempting to delete all values of the objectclass attribute).

LDAP_IS_LEAF

This result code indicates that the specified entry is a leaf entry. Currently, Directory Server does not send this result code back to LDAP clients.

LDAP_LOCAL_ERROR

This result code indicates that an error occurred in the LDAP client.

LDAP_LOOP_DETECT

This result code indicates that the server was unable to perform the requested operation because of an internal loop. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_MORE_RESULTS_TO_RETURN

This result code indicates that there are more results in the chain of results. The LDAP API library sets this result code when the ldap_parse_sasl_bind_result() function is called to retrieve the result code of an operation, and additional result codes from the server are available in the LDAP structure.

LDAP_NAMING_VIOLATION

This result code indicates that the request violates the structure of the DIT. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_NO_MEMORY

This result code indicates that no memory is available. The LDAP API library sets this result code if a function cannot allocate memory (for example, when creating an LDAP request or an LDAP control).

LDAP_NO_OBJECT_CLASS_MODS

This result code indicates that the request is attempting to modify the object class that should not be modified (for example, a structural object class). Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_NO_RESULTS_RETURNED

This result code indicates that no results were returned from the server. The LDAP API library sets this result code when the ldap_parse_result() function is called but no result code is included in the server's response.

LDAP_NO_SUCH_ATTRIBUTE

This result code indicates that the specified attribute does not exist in the entry. The Directory Server might send this result code back to the client if, for example, a modify request specifies the modification or removal of a non-existent attribute or if a compare request specifies a non-existent attribute.

LDAP_NO_SUCH_OBJECT

This result code indicates that the server cannot find an entry specified in the request. The Directory Server sends this result code back to the client if it cannot find a requested entry and if it cannot refer your client to another LDAP server.

LDAP_NOT_ALLOWED_ON_NONLEAF

This result code indicates that the requested operation is allowed only on entries that do not have child entries (entries that are "leaf" entries, as opposed to "branch" entries). The Directory Server sends this result code back to the client if the request is a delete request or a modify DN request and the entry is a parent entry. (You cannot delete or move a branch of entries in a single operation.)

LDAP_NOT_ALLOWED_ON_RDN

This result code indicates that the requested operation will affect the RDN of the entry. The Directory Server sends this result code back to the client if the request is a modify request and the request deletes attribute values from the entry that are used in the RDN of the entry. (For example, if the DN is "uid=bjensen,ou=People,dc=example,dc=com", the request removes the attribute value "uid=bjensen" from the entry.)

LDAP_NOT_SUPPORTED

This result code indicates that the LDAP client is attempting to use functionality that is not supported. The LDAP API library sets this result code if the client identifies itself as an LDAPv2 client, and the client is attempting to use functionality available in LDAPv3. For example:

You are passing LDAP controls to a function.
You are calling ldap_extended_operation(), ldap_extended_operation_s(), or ldap_parse_extended_result() to request an extended operation or to parse an extended response.
You are calling ldap_rename() or ldap_rename_s(), and you are specifying a new "superior DN" as an argument.
You are calling ldap_sasl_bind(), ldap_sasl_bind_s(), or ldap_parse_sasl_bind_result() to request SASL authentication or to parse a SASL bind response.
You are calling ldap_parse_virtuallist_control() to parse a virtual list control from the server's response.

If you want to use these features, make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."

LDAP_OBJECT_CLASS_VIOLATION

This result code indicates that the request specifies a change to an entry or a new entry that does not comply with the server's schema. The Directory Server sends this result code back to the client in the following situations:

The request is an add request, and the new entry does not comply with the schema. For example, the new entry does not have all the required attributes, or the entry has attributes that are not allowed in the entry.
The request is a modify request, and the change will make the entry noncompliant with the schema. For example, the change removes a required attribute or adds an attribute that is not allowed.

Check the server error logs for more information, and check the schema for the type of entry that you are adding or modifying.

LDAP_OPERATIONS_ERROR

This is a general result code indicating that an error has occurred. The Directory Server might send this code if, for example, memory cannot be allocated on the server.

To troubleshoot this type of error, check the server's error logs. You may need to increase the log level of the server to get additional information.

LDAP_OTHER

This result code indicates than an unknown error has occurred. At this point in time, neither the LDAP API library nor the Directory Server return this result code.

LDAP_PARAM_ERROR

This result code indicates that an invalid parameter was specified.

The LDAP API library sets this result code if a function was called and invalid parameters were specified (for example, if the LDAP structure is NULL).

LDAP_PARTIAL_RESULTS

The Directory Server sends this result code to LDAPv2 clients to refer them to another LDAP server. When sending this code to a client, the server includes a newline-delimited list of LDAP URLs that identify another LDAP server.

If the client identifies itself as an LDAPv3 client in the request, the Directory Server sends an LDAP_REFERRAL result code instead of this result code.

LDAP_PROTOCOL_ERROR

This result code indicates that the LDAP client's request does not comply with the LDAP protocol. The Directory Server sends this result code back to the client in the following situations:

The server cannot parse the incoming request.
The request specifies an attribute type that uses a syntax not supported by the server.
The request is a SASL bind request, but your client identifies itself as an LDAPv2 client.
Make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
The request is a bind request that specifies an unsupported version of the LDAP protocol.
Make sure to specify that your LDAP client is either an LDAPv2 client or an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client."
The request is an add or a modify request that specifies the addition of an attribute type to an entry, but no values are specified.
The request is a modify request, and one of the following is true:
- An unknown modify operation is specified (an operation other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE).
- No modifications are specified.
The request is a modify DN request, and one of the following is true:
- The new RDN is not a valid RDN.
- A new superior DN is specified, but your client identifies itself as an LDAPv2 client.
Note that the Directory Server 3.x and 4.0 do not support the ability to move an entry from under one DN to another DN. If you specify a new superior DN, the request will not be processed.
The request is a search request, and one of the following is true:

An unknown scope is specified (a scope other than LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL, and LDAP_SCOPE_SUBTREE).
An unknown filter type is specified.
The filter type LDAP_FILTER_GE or LDAP_FILTER_LE is specified, but the type of attribute contains values that cannot be ordered. (For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.)
The request contains an extensible filter (a filter using matching rules), but your client identifies itself as an LDAPv2 client. (Make sure to specify that your LDAP client is an LDAPv3 client. For instructions, see "Specifying the LDAP Version of Your Client.")
The request contains an extensible filter (a filter using matching rules), but the matching rule is not supported by the server.

The request is a search request with a server-side sorting control, and one of the following is true:
- The server does not have a syntax plug-in that supports the attribute used for sorting.
- The syntax plug-in does not have a function for comparing values of the attribute. (This compare function is used for sorting.)
- The type of attribute specified for sorting contains values that cannot be sorted in any order. For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.
- The server encounters an error when creating the sorting response control (the control to be sent back to the client).
- When sorting the results, the time limit or the "look through limit" is exceeded. The "look through limit" is the maximum number of entries that the server will check when gathering a list of potential search result candidates.
The request is an extended operation request, and the server does not support that extended operation.
In the Netscape Directory Server, extended operations are supported through extended operation server plug-ins. Make sure that the server is loading a plug-in that supports the extended operation. Check the OID of the extended operation in your LDAP client to make sure that it matches the OID of the extended operation registered in the server plug-in.
For more information on extended operation server plug-ins, see the Netscape Directory Server Plug-In Programmer's Guide.
An authentication method other than LDAP_AUTH_SIMPLE or LDAP_AUTH_SASL is specified.

To troubleshoot this type of error, check the server's error logs. You may need to increase the log level of the server to get additional information.

LDAP_REFERRAL

This result code indicates that the server is referring the client to another LDAP server. When sending this code to a client, the server includes a list of LDAP URLs that identify another LDAP server. This result code is part of the LDAPv3 protocol. For LDAPv2 clients, the Directory Server sends an LDAP_PARTIAL_RESULTS result code instead.

LDAP_REFERRAL_LIMIT_EXCEEDED

This result code indicates that the "referral hop limit" was exceeded. The LDAP API library sets this result code when following referrals, if the client is referred to other servers more times than allowed by the "referral hop limit". For more information about the "referral hop limit", see "Limiting Referral Hops."

LDAP_RESULTS_TOO_LARGE

This result code indicates that the results of the request are too large. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_SASL_BIND_IN_PROGRESS

This result code is used in multi-stage SASL bind operations. The server sends this result code back to the client to indicate that the authentication process has not yet completed. For more information on SASL authentication, see Chapter 13 - Using SASL Authentication.

LDAP_SERVER_DOWN

This result code indicates that the LDAP API library cannot establish a connection (or lost the connection) with the LDAP server. The LDAP API library sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct hostname and port number and that the server is running.

If you have lost the connection to the server, see "Handling Failover" for instructions on reconnecting to the server.

LDAP_SIZELIMIT_EXCEEDED

This result code indicates that the maximum number of search results to return has been exceeded. The size limit is specified in the search request. If you specify no size limit, the server will set the time limit.

When working with the Directory Server, keep in mind the following:

If you are bound as the root DN and specify no size limit, the server enforces no size limit at all.
If you are not bound as the root DN and specify no size limit, the server sets the size limit to the value specified by the sizelimit directive in the server's slapd.conf configuration file.
If the size limit that you specify exceeds the value specified by the sizelimit directive in the server's slapd.conf configuration file, the server uses the size limit specified in the configuration file.

LDAP_SORT_CONTROL_MISSING

This result code indicates that server did not receive a required server-side sorting control. The Directory Server 4.0 sends this result code back to the client if the server receives a search request with a "virtual list view" control but no server-side sorting control.

The "virtual list view" control requires a server-side sorting control. For more information on this control, see "Using the Virtual List View Control." Note that versions of the Directory Server prior to 4.0 do not support the "virtual list view" control.

LDAP_STRONG_AUTH_NOT_SUPPORTED

This result code is returned as the result of a bind operation. This code indicates that the server does not recognize or support the specified authentication method.

LDAP_STRONG_AUTH_REQUIRED

This result code indicates that a stronger method of authentication is required to perform the operation. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_SUCCESS

This result code indicates that the LDAP operation was successful.

LDAP_TIMELIMIT_EXCEEDED

This result code indicates that the time limit on a search operation has been exceeded. The time limit is specified in the search request. If you specify no time limit, the server will set the time limit. When working with the Directory Server, keep in mind the following:

If you are bound as the root DN and specify no time limit, the server enforces no size limit at all.
If you are not bound as the root DN and specify no time limit, the server sets the time limit to the value specified by the timelimit directive in the server's slapd.conf configuration file.
If the time limit that you specify exceeds the value specified by the timelimit directive in the server's slapd.conf configuration file, the server uses the time limit specified in the configuration file.

LDAP_TIMEOUT

This result code indicates that the LDAP client timed out while waiting for a response from the server. The LDAP API library sets this result code in the LDAP structure if the timeout period (for example, in a search request) has been exceeded and the server has not responded.

LDAP_TYPE_OR_VALUE_EXISTS

This result code indicates that the request attempted to add an attribute type or value that already exists. The Directory Server sends this result code back to the client in the following situations:

The request attempts to add values that already exist in the attribute.
The request is adding an attribute to the schema of the server, but the OID of the attribute is already used by an object class in the schema.
The request is adding an object class to the schema of the server, and one of the following occurs:
- The object class already exists.
- The OID of the object class is already used by another object class or an attribute in the schema.
- The superior object class for this new object class does not exist.

LDAP_UNAVAILABLE

This result code indicates that the server is unavailable to perform the requested operation. At this point in time, neither the LDAP API library nor the Directory Server return this result code.

LDAP_UNAVAILABLE_CRITICAL_EXTENSION

This result code indicates that the specified control or matching rule is not supported by the server. The Directory Server might send back this result code if the request includes an unsupported control or if the filter in the search request specifies an unsupported matching rule.

LDAP_UNDEFINED_TYPE

This result code indicates that the request specifies an undefined attribute type. Currently, the Directory Server does not send this result code back to LDAP clients.

LDAP_UNWILLING_TO_PERFORM

This result code indicates that the server is unwilling to perform to requested operation. The Directory Server sends this result code back to the client in the following situations:

The client has logged in for the first time and needs to change its password, but the client is requesting to perform other LDAP operations.
In this situation, the result code is accompanied by an expired password control. For details, see "Using Password Policy Controls."
The NT Synch Service is running, and an operation is "vetoed" by the service.
The request is a modify DN request, and a "superior DN" is specified. (At this point in time, the Directory Server does not support the ability to use the modify DN operation to move an entry from one location in the directory tree to another location.)
The database is in read-only mode, and the request attempts to write to the directory.
The request is a delete request that attempts to delete the root DSE.
The request is a modify DN request that attempts to modify the DN of the root DSE.
The request is a modify request to modify the schema entry, and one of the following occurs:
- The operation is LDAP_MOD_REPLACE. (The server does not allow you to replace schema entry attributes.)
- The request attempts to delete an object class that is the parent of another object class.
- The request attempts to delete a read-only object class or attribute.
The server uses a database plug-in that does not implement the operation specified in the request. For example, if the database plug-in does not implement the add operation, sending an add request will return this result code.

LDAP_USER_CANCELLED

This result code indicates that the user cancelled the LDAP operation. Currently, the Directory Server does not send this result code back to LDAP clients.