OpenLDAP is sometimes criticised for poor error messages and diagnostics. Partly this is due to the generic standardisation of error messages which limits the implementation's ability to be informative and creative (in all fairness they also add a textual element to help pin-point the problem) and partly to the fact that many error messages are reported via clients which can do some serious mangling of any original diagnostics.
The best information comes from OpenLDAP's rather voluminous logging (certainly when using loglevel -1).
We document below some information on reading OpenLDAP's log and the standard LDAP error messages with some hints as to where the possible cause may lie.
These error messages are defined in RFC 4511 Section 4.1.9, a draft RFC on the LDAP C API (dating from 2000) and inspection of OpenLDAP LDAPResult.h.
|LDAP_SUCCESS||0 (x'00)||The request was successful.|
|LDAP_OPERATIONS_ERROR||1 (x'01)||An operations error occurred.|
|LDAP_PROTOCOL_ERROR||2 (x'02)||A protocol violation was detected.|
|LDAP_TIMELIMIT_EXCEEDED||3 (x'03)||An LDAP time limit was exceeded.|
|LDAP_SIZELIMIT_EXCEEDED||4 (x'04)||An LDAP size limit was exceeded.|
|LDAP_COMPARE_FALSE||5 (x'05)||A compare operation returned false.|
|LDAP_COMPARE_TRUE||6 (x'06)||A compare operation returned true.|
|LDAP_STRONG_AUTH_NOT_SUPPORTED||7 (x'07)||The LDAP server does not support strong authentication.|
|LDAP_STRONG_AUTH_REQUIRED||8 (x'08)||Strong authentication is required for the operation.|
|LDAP_PARTIAL_RESULTS||9 (x'09)||Partial results only returned.|
|LDAP_REFERRAL||10 (x'0A)||Indicates a LDAP Referral response. The message will include one or more LDAP URLs to which the client should re-direct subsequent operations for this DN.|
|LDAP_ADMINLIMIT_EXCEEDED||11 (x'0B)||Indicates that any limit placed on the number of entries to be searched within the server has been exceeded.|
|LDAP_UNAVAILABLE_CRITICAL_EXTENSION||12 (x'0C)||Indicates that a control or matching rule, requested in the operation, is not supported by this server.|
|LDAP_CONFIDENTIALITY_REQUIRED||13 (x'0D)||The server configuration requires some form of confidentiality (TLS/SSL or SASL) when performing the bind with the provided DN, for example, a global or database security directive may requires some form of SSF during simple_bind, or update operations.|
|LDAP_SASL_BIND_IN_PROGRESS||14 (x'0E)||The server is currently performing a SASL bind and the requested operation is invalid in this context.|
|LDAP_NO_SUCH_ATTRIBUTE||16 (x'10)||The attribute specified in the request does not exist in the entry.|
|LDAP_UNDEFINED_TYPE||17 (x'11)||The attribute type specified in the request was invalid.|
|LDAP_INAPPROPRIATE_MATCHING||18 (x'12)||Indicates the extensible match filter matching rule is not supported for the specified attribute type.|
|LDAP_CONSTRAINT_VIOLATION||19 (x'13)||An attribute value specified in an operation violates some constraint
1. string too long
2. wrong type - string written to numeric attribute
2. Invalid value, for example, attribute may take a specific value or one of a set of values
|LDAP_TYPE_OR_VALUE_EXISTS||20 (x'14)||An attribute type or attribute value specified already exists in the entry.
1. Adding entry - one or more attributes in an LDIF (or add/replace operation) for an entry are exactly the same (duplicated)
|LDAP_INVALID_SYNTAX||21 (x'15)||An invalid attribute value was specified.|
|22 - 31||(x'16 - x'1F). Unused.|
|LDAP_NO_SUCH_OBJECT||32 (x'20)||The specified entry does not exist in the directory (DIT).|
|LDAP_ALIAS_PROBLEM||33 (x'21)||An alias in the DIT points to a nonexistent entry.|
|LDAP_INVALID_DN_SYNTAX||34 (x'22)||A syntactically invalid DN was specified. May also happen if you use an LDIF format file (dn: cn=xxx etc.) with ldapdelete which only requires a plain DN.|
|35 (x'23)||Reserved and unused in LDAPv3 (LDAPv2: LDAP_IS_LEAF The object specified is a leaf)|
|LDAP_ALIAS_DEREF_PROBLEM||36 (x'24)||A problem was encountered when dereferencing an alias. See also 33.|
|37 - 47||(x'25 - x'2F). Unused.|
|LDAP_INAPPROPRIATE_AUTH||48 (x'30)||Inappropriate authentication was specified, for example, LDAP_AUTH_SIMPLE was specified and the entry does not have a userPassword attribute.|
|LDAP_INVALID_CREDENTIALS||49 (x'31)||Invalid credentials were presented, for example, the wrong password
Additional text: unable to get TLS Client DN
1. No client certificate when TLSVerifyClient is 'demand'
2. No client certificate when TLSVerifyClient is 'never' in which case the error message is not fatal and service continues.
|LDAP_INSUFFICIENT_ACCESS||50 (x'32)||The user has insufficient access to perform the operation.|
|LDAP_BUSY||51 (x'33)||The server (DSA) is too busy to perform the requested operation.|
|LDAP_UNAVAILABLE||52 (x'34)||The DSA is unavailable, for example, it may be halted, paused or initialising.|
|LDAP_UNWILLING_TO_PERFORM||53 (x'35)||The server (DSA) is unwilling to perform the operation.
Additional text: no global superior knowledge - the name that is being added or modified does not exist in any naming context or does not have a valid referral.
1. no olcSuffix attribute (or no suffix directive in slapd.conf) for the referenced DIT
Additional Text: Shadow context; no update referral - the DIT being updated is a replica in read only mode and the absence of an updateref directive means a referral cannot be returned.
1. A write had been attempted to a read-only replica (the consumer in a syncrepl configuration is always read-only).
2. In a multi-master syncrepl configuration mirrormode true may be missing from the slapd.conf file. 3. If slapd was loaded using a slapd.conf file and a slapd.d directory (cn=config) also exists them subsequent modifications to a DIT can fail with this message. FreeBSD in particular needs an explicit entry in rc.conf (slapd_cn_config="YES") to force use of slapd.d.
|LDAP_LOOP_DETECT||54 (x'36)||A loop was detected.|
|54 - 59||(x'37 - x'3B). Unused.|
|LDAP_SORT_CONTROL_MISSING||60 (x'3C)||Unused in standards. Sun LDAP Directory Server only. Server did not receive a required server-side sorting control.|
|LDAP_RANGE_INDEX_ERROR||61 (x'3D)||Unused in standards. Sun LDAP Directory Server only. The search results exceeded the range specified by the requested offsets.|
|62 - 63||(x'3E - x'3F). Unused.|
|LDAP_NAMING_VIOLATION||64 (x'40)||Indicates the rquest contained a naming violation within the current DIT.|
|LDAP_OBJECT_CLASS_VIOLATION||65 (x'41)||An object class violation occurred when using the current schema, for example, a "must" attribute was missing when adding an entry.|
|LDAP_NOT_ALLOWED_ON_NONLEAF||66 (x'42)||The operation is not allowed on a nonleaf (one that has child entries) entry.|
|LDAP_NOT_ALLOWED_ON_RDN||67 (x'43)||The operation is not allowed on an RDN, for example, deleting an attribute that is used as an RDN within the DN.|
|LDAP_ALREADY_EXISTS||68 (x'44)||The entry already exists in this DIT.|
|LDAP_NO_OBJECT_CLASS_MODS||69 (x'45)||Object class modifications are not allowed.|
|LDAP_RESULTS_TOO_LARGE||70 (x'46)||C API (draft) only. Results too large to be contained in this message.|
|LDAP_AFFECTS_MULTIPLE_DSAS||71 (x'47)||Indicates the operation needs to be performed on multiple servers (DSAs) and this is not permitted.|
|72 - 79||(x'48 - x'4F). Unused.|
|LDAP_OTHER||80 (x'50)||An unknown error occurred.
Attempting to delete an attribute (especially in cn=config) that is not permitted
olcDbDirectory: value #0: invalid path: No such file or directory Possible Cause:
The path for the database must exist before inializing a new database.
|LDAP_SERVER_DOWN||81 (x'51)||C API (draft) only. The LDAP library can't contact the LDAP server.|
|LDAP_LOCAL_ERROR||82 (x'52)||C API (draft) only. Some local error occurred. This is usually a failed dynamic memory allocation.|
|LDAP_ENCODING_ERROR||83 (x'53)||C API (draft) only. An error was encountered encoding parameters to send to the LDAP server.|
|LDAP_DECODING_ERROR||84 (x'54)||C API (draft) only. An error was encountered decoding a result from the LDAP server.|
|LDAP_TIMEOUT||85 (x'55)||C API (draft) only. A timelimit was exceeded while waiting for a result.|
|LDAP_AUTH_UNKNOWN||86 (x'56)||C API (draft) only. The authentication method specified to ldap_bind() is not known.|
|LDAP_FILTER_ERROR||87 (x'57)||C API (draft) only. An invalid filter was supplied to ldap_search() (for instance, unbalanced parentheses).|
|LDAP_USER_CANCELLED||88 (x'58)||C API (draft) only. Indicates the user canceled the requested operation.|
|LDAP_PARAM_ERROR||89 (x'59)||C API (draft) only. An ldap routine was called with a bad parameter.|
|LDAP_NO_MEMORY||90 (x'5A)||C API (draft) only. An memory allocation (e.g., malloc(3) or other dynamic memory allocator) call failed in an ldap library routine.|
|LDAP_CONNECT_ERROR||91 (x'5B)||C API (draft) only. A Library/Client cannot connect to an LDAP server defined in a URL.|
|LDAP_NOT_SUPPORTED||92 (x'5C)||C API (draft) only. Indicates request uses feature not supported by this server.|
|LDAP_CONTROL_NOT_FOUND||93 (x'5D)||C API (draft) only. A requested control control was not found on this server.|
|LDAP_NO_RESULTS_RETURNED||94 (x'5E)||C API (draft) only. The requested operation was successful but no results were returned (obtained).|
|LDAP_MORE_RESULTS_TO_RETURN||95 (x'5F)||C API (draft) only. The requested operation was succesful but more results need to be returned than could fit in the current message.|
|LDAP_CLIENT_LOOP||96 (x'60)||C API (draft) only. Client detected a loop, for example, following referrals.|
|LDAP_REFERRAL_LIMIT_EXCEEDED||97 (x'61)||C API (draft) only. The server or client exceeded any defined referral limit.|
This section shows some annotated OpenLDAP logs. Lines beginning # are comments inserted for the purposes of annotation and would not be present in a normal log.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
3 ldap objects
4 install ldap
7 replica & refer
10 ldap api
14 ldap tools
notes & info
rfc's & x.500
This work is licensed under a Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox
GNU-Free SW Foundation
Open Source Initiative
Ibiblio - Library
Open Book Project
Copyright © 1994 - 2023 ZyTrax, Inc.
All rights reserved. Legal and Privacy
|site by zytrax
web-master at zytrax
Page modified: January 20 2022.