Overview[1] #
We have gathered LDAP Result Code from several sources including our own observations.The IANA Registry resultCode values
is the "official" listing.
More Specific LDAP Result Codes:#
NOTE LDAP Error Codes vs LDAP Result Codes#
LDAP is a request-response protocol and each request, is followed by a response. A success result code (0) implies all is well.Though many people refer to them as LDAP Error Codes, they are really LDAP Result codes. Other result codes MAY or MAY NOT be errors.
Anyhow, here you can find many LDAP Result Codes and what they imply.
Result Code values - per RFC 4520#
All LDAP Result Codes are registered in the IANA Registry resultCode values as described in RFC 4520
We list them here as they were on 2016-08-05:
| Hex | Decimal | Name | Owner | Reference | INIT | Short Summary |
|---|---|---|---|---|---|---|
| 0x00 | 0 | LDAP_SUCCESS | IESG | RFC 4511 | DSA | This is used to indicate that the associated operation completed successfully. |
| 0x01 | 1 | LDAP_OPERATIONS_ERROR | IESG | RFC 4511 | DSA | This is used to indicate that the associated request was out of sequence with another operation in progress (e.g., a non-bind request in the middle of a multi-stage SASL bind).It does not indicate that the client has sent an erroneous message. eDirectory: In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors. |
| 0x02 | 2 | LDAP_PROTOCOL_ERROR | IESG | RFC 4511 | DSA | This is used to indicate that the client (DUA) sent data to the server that did not comprise a valid LDAP request. |
| 0x03 | 3 | LDAP_TIMELIMIT_EXCEEDED | IESG | RFC 4511 | DSA | This is used to indicate that processing on the associated request Timeout limit specified by either the client request or the server administration limits has been exceeded and has been terminated because it took too long to complete. For a SearchRequest operation, it is possible that some of the matching entries had been returned when the Timeout limit was reached. |
| 0x04 | 4 | LDAP_SIZELIMIT_EXCEEDED | IESG | RFC 4511 | DSA | This is used to indicate that there were more entries matching the criteria contained in a SearchRequest operation than were allowed to be returned by the size limit configuration. Incomplete results may be returned. |
| 0x05 | 5 | LDAP_COMPARE_FALSE | IESG | RFC 4511 | DSA | Does not indicate an error condition. This is used to indicate that a Compare Request operation completed successfully, but the provided attribute value assertion did not match the target entry. |
| 0x06 | 6 | LDAP_COMPARE_TRUE | IESG | RFC 4511 | DSA | Does not indicate an error condition. This is used to indicate that a Compare Request operation completed successfully, and the provided attribute value assertion matched the target entry. |
| 0x07 | 7 | LDAP_AUTH_METHOD_NOT_SUPPORTED | IESG | RFC 4511 | DSA | This is used to indicate that the Directory Server does not support the requested Authentication Method. |
| 0x08 | 8 | LDAP_STRONG_AUTH_REQUIRED | IESG | RFC 4511 | DSA | Indicates one of the following: * In Bind Requests, the LDAP server accepts only strong authentication. * In a client request, the client requested an operation such as Delete Request that requires strong authentication. * In an Unsolicited Notification of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised. |
| 0x09 | 9 | reserved(partialResults) | IESG | RFC 4511 | N/A | (Deprecated) Was used when LDAPv2 where the Server (DSA) returned a "partial result" LDAP Result Codes response that contains the referral URL. |
| 0x0A | 10 | LDAP_REFERRAL | IESG | RFC 4511 | DSA | Does not indicate an error condition. In LDAPv3, indicates that the server does not hold the target entry of the request, but that the servers in the LDAP Referral field may. |
| 0x0B | 11 | LDAP_ADMINLIMIT_EXCEEDED | IESG | RFC 4511 | DSA | |
| 0x0C | 12 | LDAP_UNAVAILABLE_CRITICAL_EXTENSION | IESG | RFC 4511 | DSA | Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type. |
| 0x0D | 13 | LDAP_CONFIDENTIALITY_REQUIRED | IESG | RFC 4511 | DSA | Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality and the request will not be handled without confidentiality enabled. |
| 0x0E | 14 | LDAP_SASL_BIND_IN_PROGRESS | IESG | RFC 4511 | DSA | Does not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL Mechanism to continue the process. |
| 0x0F | 15 | Not used. | N/A | N/A | N/A | N/A |
| 0x10 | 16 | LDAP_NO_SUCH_ATTRIBUTE | IESG | RFC 4511 | DSA | Indicates that the attribute specified in the Modify Request or Compare Request operation does not exist in the entry. |
| 0x11 | 17 | LDAP_UNDEFINED_TYPE | IESG | RFC 4511 | DSA | Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema. |
| 0x12 | 18 | LDAP_INAPPROPRIATE_MATCHING | IESG | RFC 4511 | DSA | Indicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax. |
| 0x13 | 19 | LDAP_CONSTRAINT_VIOLATION | IESG | RFC 4511 | DSA | Indicates that the attribute value specified in a Add Request, Modify Request or ModifyDNRequest operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary). |
| 0x14 | 20 | LDAP_TYPE_OR_VALUE_EXISTS | IESG | RFC 4511 | DSA | Indicates that the attribute value specified in a Add Request or Modify Request operation already exists as a value for that attribute. |
| 0x15 | 21 | LDAP_INVALID_SYNTAX | IESG | RFC 4511 | DSA | Indicates that the attribute value specified in an Add Request, Compare Request, or Modify Request operation is an unrecognized or invalid syntax for the attribute. |
| N/A | 22-31 | Not used. | N/A | N/A | N/A | N/A |
| 0x20 | 32 | LDAP_NO_SUCH_OBJECT | IESG | RFC 4511 | DSA | Indicates the target object cannot be found. This code is NOT returned on following operations: * SearchRequest operations that find the BaseDN but cannot find any LDAP entries that match the search filter. * Bind Request operations. |
| 0x21 | 33 | LDAP_ALIAS_PROBLEM | IESG | RFC 4511 | DSA | Indicates that an error occurred when an alias was dereferenced. |
| 0x22 | 34 | LDAP_INVALID_DN_SYNTAX | IESG | RFC 4511 | DSA | Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns LDAP_UNWILLING_TO_PERFORM.) |
| 0x23 | 35 | LDAP_IS_LEAF(Some Server RESERVED) | IESG | RFC 4511 | DSA | Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.) |
| 0x24 | 36 | LDAP_ALIAS_DEREF_PROBLEM | IESG | RFC 4511 | DSA | Indicates that during a SearchRequest operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed. |
| N/A | 37-47 | reserved | N/A | N/A | N/A | N/A |
| 0x30 | 48 | LDAP_INAPPROPRIATE_AUTH | IESG | RFC 4511 | DSA | Indicates that during a Bind Request operation, the client is attempting to use an authentication Method that the client cannot use correctly. For example, either of the following cause this error: * The client returns simple credentials when strong credentials are required. * The client returns a DN and a password for a simple bind when the entry does not have a password defined. |
| 0x31 | 49 | LDAP_INVALID_CREDENTIALS | IESG | RFC 4511 | DSA | Indicates that during a Bind Request operation one of the following occurred: * The client passed either an incorrect DN or password. * The password is incorrect because it has expired, Intruder Detection has locked the account, or some other similar reason. |
| 0x32 | 50 | LDAP_INSUFFICIENT_ACCESS | IESG | RFC 4511 | DSA | Indicates that the caller does not have sufficient rights to perform the requested operation. |
| 0x33 | 51 | LDAP_BUSY | IESG | RFC 4511 | DSA | Indicates that the LDAP server is too busy to process the client request at this time but if the client waits and resubmits the request, the server may be able to process it then. |
| 0x34 | 52 | LDAP_UNAVAILABLE | IESG | RFC 4511 | DSA | Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down. |
| 0x35 | 53 | LDAP_UNWILLING_TO_PERFORM | IESG | RFC 4511 | DSA | Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons: * The Add Request violates the server's structure rules. * The Modify Request specifies attributes that users cannot modify. * Password restrictions prevent the action. * Connection restrictions prevent the action. |
| 0x36 | 54 | LDAP_LOOP_DETECT | IESG | RFC 4511 | DSA | Indicates that the client discovered an alias or LDAP Referral loop, and is thus unable to complete this request. |
| N/A | 55-63 | reserved | IESG | N/A | N/A | N/A |
| 0x40 | 64 | LDAP_NAMING_VIOLATION | IESG | RFC 4511 | DSA | Indicates that the Add Request or Modify DN Request operation violates the schema's structure rules. For example: * The request places the entry subordinate to an alias. * The request places the entry subordinate to a container that is forbidden by the containment rules. * The RDN for the entry uses a forbidden attribute type. |
| 0x41 | 65 | LDAP_OBJECT_CLASS_VIOLATION | IESG | RFC 4511 | DSA | Indicates that the Add Request, Modify Request, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error: * The add or modify operation tries to add an entry without a value for a required attribute. * The add or modify operation tries to add an entry with a value for an attribute which the class definition does not contain. * The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute as required. |
| 0x42 | 66 | LDAP_NOT_ALLOWED_ON_NONLEAF | IESG | RFC 4511 | DSA | Indicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error: * The client requests a delete operation on a parent entry. * The client request a modify DN operation on a parent entry. |
| 0x43 | 67 | LDAP_NOT_ALLOWED_ON_RDN | IESG | RFC 4511 | DSA | Indicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name. |
| 0x44 | 68 | LDAP_ALREADY_EXISTS | IESG | RFC 4511 | DSA | Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists. |
| 0x45 | 69 | LDAP_NO_OBJECT_CLASS_MODS | IESG | RFC 4511 | DSA | Indicates that the modify operation attempted to modify the structure rules of an object class. |
| 0x46 | 70 | LDAP_RESULTS_TOO_LARGE | IESG | RFC 4511 | DSA | Reserved for CLDAP. |
| 0x47 | 71 | LDAP_AFFECTS_MULTIPLE_DSAS | DSA | Indicates that the modify DN operation moves the entry from one LDAP server to another and thus requires more than one LDAP server. | ||
| N/A | 72-79 | reserved | IESG | N/A | N/A | N/A |
| 0x50 | 80 | LDAP_OTHER | IESG | RFC 4511 | DSA | Indicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes. |
| N/A | 81-90 | reserved (LDAP Client Error And Result Codes) | IESG | RFC 4511 | DUA | reserved (LDAP Client Error And Result Codes) APIs May Vary by API Implementation |
| 0x51 | 81 | LDAP_SERVER_DOWN | DUA | client-side result code that indicates that the LDAP libraries cannot establish an initial connection with the LDAP server. Either the LDAP server is down or the specified host name or port number is incorrect. | ||
| 0x52 | 82 | LDAP_LOCAL_ERROR | DUA | client-side result code Indicates that the LDAP client has an error. This is usually a failed dynamic memory allocation error. | ||
| 0x53 | 83 | LDAP_ENCODING_ERROR | DUA | client-side result code Indicates that the LDAP client encountered errors when encoding an LDAP request intended for the LDAP server. | ||
| 0x54 | 84 | LDAP_DECODING_ERROR | DUA | client-side result code Indicates that the LDAP client encountered errors when decoding an LDAP response from the LDAP server. | ||
| 0x55 | 85 | LDAP_TIMEOUT | DUA | client-side result code that indicates that the Timeout limit of the LDAP client was exceeded while waiting for a result. | ||
| 0x56 | 86 | LDAP_AUTH_UNKNOWN | DUA | client-side result code Indicates that a bind method was called with an unknown authentication method. | ||
| 0x57 | 87 | LDAP_FILTER_ERROR | DUA | client-side result code Indicates that the search method was called with an invalid search filter. | ||
| 0x58 | 88 | LDAP_USER_CANCELLED | DUA | client-side result code Indicates that the user cancelled the LDAP operation. | ||
| 0x59 | 89 | LDAP_PARAM_ERROR | DUA | client-side result code Indicates that an invalid parameter was supplied | ||
| 0x5a | 90 | LDAP_NO_MEMORY | DUA | client-side result code Indicates that a dynamic memory allocation method failed when calling an LDAP method. | ||
| 0x5b | 91 | LDAP_CONNECT_ERROR | DUA | client-side result code that indicates that the LDAP client has lost either its connection or cannot establish a connection to the LDAP server. | ||
| 0x5c | 92 | LDAP_NOT_SUPPORTED | DUA | client-side result code Indicates that the requested functionality is not supported by the client. For example, if the LDAP client is established as an LDAPv2 client, the libraries set this error code when the client requests LDAPv3 functionality. | ||
| 0x5d | 93 | LDAP_CONTROL_NOT_FOUND | DUA | client-side result code Indicates that the client requested a control that the libraries cannot find in the list of supported controls sent by the LDAP server. | ||
| 0x5e | 94 | LDAP_NO_RESULTS_RETURNED | DUA | A client-side result code Indicates that the LDAP server sent no results. | ||
| 0x5f | 95 | LDAP_MORE_RESULTS_TO_RETURN | DUA | client-side result code that indicates that more results are chained in the result message. | ||
| 0x60 | 96 | LDAP_CLIENT_LOOP | DUA | client-side result code that indicates the LDAP libraries detected a loop. Usually this happens when following referrals. | ||
| 0x61 | 97 | LDAP_REFERRAL_LIMIT_EXCEEDED | DUA | client-side result code that indicates that the referral exceeds the hop limit. The default hop limit is ten. | ||
| 0x64 | 100 | INVALID_RESPONSE | DUA | This is a client-side result code that is used to indicate that the result received from the server was ambiguous (for example, there was more than one response received fro the associated operation). | ||
| 0x65 | 101 | AMBIGUOUS_RESPONSE | DUA | This is a client-side result code that is used to indicate that the result received from the server was ambiguous (for example, there was more than one response received fro the associated operation). | ||
| 0x70 | 112 | TLS_NOT_SUPPORTED | DSA | Indicates that TLS is not supported on the server. | ||
| 0x71 | 113 | lcupResourcesExhausted | IESG | RFC 3928 | DSA | The server is running out of resources. LDAP Client Update Protocol |
| 0x72 | 114 | lcupSecurityViolation | IESG | RFC 3928 | DSA | the client is suspected of malicious actions. LDAP Client Update Protocol |
| 0x73 | 115 | lcupInvalidData | IESG | RFC 3928 | DSA | invalid cookie was supplied by the client - both/either the scheme and/or the value part was invalid . LDAP Client Update Protocol |
| 0x74 | 116 | lcupUnsupportedScheme | IESG | RFC 3928 | DSA | The scheme part of the cookie is a valid OID but is not supported by this server. LDAP Client Update Protocol |
| 0x75 | 117 | lcupReloadRequired | IESG | RFC 3928 | DSA | indicates that client data needs to be reinitialized. This reason is returned if the server does not synchronize the client or if the server's data was reloaded since the last synchronization session. LDAP Client Update Protocol |
| 0x78 | 118 | canceled | IESG | RFC 3909 | DSA | The Cancel request is an ExtendedRequest with the requestName field containing 1.3.6.1.1.8 and a requestValue field which contains a BER-encoded cancelRequestValue value. |
| 0x79 | 119 | noSuchOperation | IESG | RFC 3909 | DSA | Returned if the server has no knowledge of the operation requested for cancellation. |
| 0x7A | 120 | tooLate | IESG | RFC 3909 | DSA | Returned to indicate that it is too late to cancel the outstanding operation. |
| 0x7B | 121 | cannotCancel | IESG | RFC 3909 | DSA | Returned if the identified operation does not support cancellation or the cancel operation could not be performed. |
| 0x7C | 122 | assertionFailed | IESG | RFC 4528 | DSA | When the control is attached to an LDAP request, the processing of the request is conditional on the evaluation of the Filter as applied against the target of the operation. If the Filter evaluates to TRUE, then the request is processed normally. If the Filter evaluates to FALSE or Undefined, then assertionFailed (122) resultCode is returned, and no further processing is performed. |
| 0x7D | 123 | authorizationDenied | WELTMAN | RFC 4532 | DSA | Used to indicate that the server does not allow the client to assume the asserted identity. |
| N/A | 4096-16383 | First Come, First Serve Range | N/A | N/A | N/A | First Come, First Serve Range |
| 0x7D | 4096 | e-syncRefreshRequired | Kurt Zeilenga Jong Hyuk Choi | RFC 4533 | DSA | specification describes the LDAP allowing a DUA to maintain a copy of a fragment of the DIT. |
More Information#
There might be more information for this subject on one of the following:- AMBIGUOUS_RESPONSE
- Access Log
- Asynchronous Operation
- Bind Response
- CRAM-MD5 SASL Mechanism
- Cheat Sheets
- Common Active Directory Bind Errors
- Common Edirectory Bind Errors
- DIGEST-MD5
- DefinitionResultCode
- Dereference Policy
- Directory Synchronization Control
- Draft-behera-ldap-password-policy
- EDirectory LDAP Transaction
- ERROR_PASSWORD_RESTRICTION
- Edirectory Anomalies
- Forward Reference
- Grace Logins
- INVALID_RESPONSE
- LDAP
- LDAP 4
- LDAP Client Error And Result Codes
- LDAP Error Codes
- LDAP Message
- LDAP Overview
- LDAP Protocol Exchanges
- LDAP Query Examples
- LDAP Referral
- LDAP Result
- LDAP Signing
- LDAP policy in Active Directory
- LDAP_ADMINLIMIT_EXCEEDED
- LDAP_ALIAS_DEREF_PROBLEM
- LDAP_ALIAS_PROBLEM
- LDAP_ALREADY_EXISTS
- LDAP_AUTH_METHOD_NOT_SUPPORTED
- LDAP_BUSY
- LDAP_COMPARE_FALSE
- LDAP_COMPARE_TRUE
- LDAP_CONFIDENTIALITY_REQUIRED
- LDAP_CONSTRAINT_VIOLATION
- LDAP_INAPPROPRIATE_AUTH
- LDAP_INSUFFICIENT_ACCESS
- LDAP_INVALID_CREDENTIALS
- LDAP_LOOP_DETECT
- LDAP_NO_SUCH_ATTRIBUTE
- LDAP_NO_SUCH_OBJECT
- LDAP_OPERATIONS_ERROR
- LDAP_PROTOCOL_ERROR
- LDAP_REFERRAL
- LDAP_SASL_BIND_IN_PROGRESS
- LDAP_SIZELIMIT_EXCEEDED
- LDAP_STRONG_AUTH_REQUIRED
- LDAP_TIMELIMIT_EXCEEDED
- LDAP_TYPE_OR_VALUE_EXISTS
- LDAP_UNAVAILABLE_CRITICAL_EXTENSION
- LDAP_UNDEFINED_TYPE
- LDAP_UNWILLING_TO_PERFORM
- Lightweight Directory Access Protocol (LDAP) Parameters
- MaxPageSize
- MaxQueryDuration
- MaxTempTableSize
- Maximum Database Record Size
- Microsoft Active Directory
- Modify Response
- MustSupplyOldPassword
- Ndstrace Log Searches
- Password Expired
- PasswordTooShort
- SearchResultReference
- Simple Authentication
- SizeLimit
- Start Transaction Response
- Synchronous Operation
- TimeLimit
- ToolToParseNdstraceLogs
- Virtual List View Control
- WILL_NOT_PERFORM
- [#1] - LDAP Error Codes - based on 2013-04-10