Return codes for security plug-ins
All security plug-in APIs must return an integer value to indicate the success or failure of the execution of the API. A return code value of 0 indicates that the API ran successfully. All negative return codes, with the exception of -3, -4, and -5, indicate that the API encountered an error.
All negative return codes returned from the security-plug-in APIs are mapped to SQLCODE -1365, SQLCODE -1366, or SQLCODE -30082, with the exception of return codes with the -3, -4, or -5. The values -3, -4, and -5 are used to indicate whether or not an authorization ID represents a valid user or group.
All the security plug-in API return codes are defined in db2secPlugin.h, which can be found in the Db2® include directory: SQLLIB/include.
Details regarding all of the security plug-in return codes
are presented in the following table:
| Return code | Define value | Meaning | Applicable APIs |
|---|---|---|---|
| 0 | DB2SEC_PLUGIN_OK |
The plug-in API executed successfully. | All |
| -1 | DB2SEC_PLUGIN_UNKNOWNERROR |
The plug-in API encountered an unexpected error. | All |
| -2 | DB2SEC_PLUGIN_BADUSER |
The user ID passed in as input is not defined. | db2secGenerateInitialCred
db2secValidatePassword db2secRemapUserid db2secGetGroupsForUser |
| -3 | DB2SEC_PLUGIN |
No such user or group. | db2secDoesAuthIDExist
db2secDoesGroupExist |
| -4 | DB2SEC_PLUGIN |
Unknown user status. This is not treated as an error by Db2; it is used by a GRANT statement to determine if an authid represents a user or an operating system group. | db2secDoesAuthIDExist |
| -5 | DB2SEC_PLUGIN |
Unknown group status. This is not treated as an error by Db2; it is used by a GRANT statement to determine if an authid represents a user or an operating system group. | db2secDoesGroupExist |
| -6 | DB2SEC_PLUGIN_UID_EXPIRED |
User ID expired. | db2secValidatePassword
db2GetGroupsForUser db2secGenerateInitialCred |
| -7 | DB2SEC_PLUGIN_PWD_EXPIRED |
Password expired. | db2secValidatePassword
db2GetGroupsForUser db2secGenerateInitialCred |
| -8 | DB2SEC_PLUGIN_USER_REVOKED |
User revoked. | db2secValidatePassword
db2GetGroupsForUser |
| -9 | DB2SEC_PLUGIN |
User suspended. | db2secValidatePassword
db2GetGroupsForUser |
| -10 | DB2SEC_PLUGIN_BADPWD |
Bad password. | db2secValidatePassword
db2secRemapUserid db2secGenerateInitialCred |
| -11 | DB2SEC_PLUGIN |
Bad new password. | db2secValidatePassword
db2secRemapUserid |
| -12 | DB2SEC_PLUGIN |
Change password not supported. | db2secValidatePassword
db2secRemapUserid db2secGenerateInitialCred |
| -13 | DB2SEC_PLUGIN_NOMEM |
Plug-in attempt to allocate memory failed due to insufficient memory. | All |
| -14 | DB2SEC_PLUGIN_DISKERROR |
Plug-in encountered a disk error. | All |
| -15 | DB2SEC_PLUGIN_NOPERM |
Plug-in attempt to access a file failed because of wrong permissions on the file. | All |
| -16 | DB2SEC_PLUGIN_NETWORKERROR |
Plug-in encountered a network error. | All |
| -17 | DB2SEC_PLUGIN |
Plug-in is unable to load a required library. | db2secGroupPluginInit
db2secClientAuthPluginInit db2secServerAuthPluginInit |
| -18 | DB2SEC_PLUGIN_CANT |
Plug-in is unable to open and read a file for a reason other than missing file or inadequate file permissions. | All |
| -19 | DB2SEC_PLUGIN_FILENOTFOUND |
Plug-in is unable to open and read a file, because the file is missing from the file system. | All |
| -20 | DB2SEC_PLUGIN |
The plug-in is refusing the connection because of the restriction on which database is allowed to connect, or the TCP/IP address cannot connect to a specific database. | All server-side plug-in APIs. |
| -21 | DB2SEC_PLUGIN_NO_CRED |
GSS API plug-in only: initial client credential is missing. | db2secGetDefaultLoginContext
db2secServerAuthPluginInit |
| -22 | DB2SEC_PLUGIN_CRED_EXPIRED |
GSS API plug-in only: client credential has expired. | db2secGetDefaultLoginContext
db2secServerAuthPluginInit |
| -23 | DB2SEC_PLUGIN |
GSS API plug-in only: the principal name is invalid. | db2secProcessServer
PrincipalName |
| -24 | DB2SEC_PLUGIN |
This return code is returned by the
db2secGetConDetails callback (for example, from Db2 to the plug-in) to
indicate that Db2 is unable to determine the client's TCP/IP address. |
db2secGetConDetails |
| -25 | DB2SEC_PLUGIN |
Some parameters are not valid or are missing when plug-in API is called. | All |
| -26 | DB2SEC_PLUGIN |
The version of the APIs reported by the plug-in is not compatible with Db2. | db2secGroupPluginInit
db2secClientAuthPluginInit db2secServerAuthPluginInit |
| -27 | DB2SEC_PLUGIN_PROCESS_LIMIT |
Insufficient resources are available for the plug-in to create a new process. | All |
| -28 | DB2SEC_PLUGIN_NO_LICENSES |
The plug-in encountered a user license problem. A possibility exists that the underlying mechanism license has reached the limit. | All |
| -29 | DB2SEC_PLUGIN_ROOT_NEEDED |
The plug-in is trying to run an application that requires root privileges. | All |
| -30 | DB2SEC_PLUGIN_UNEXPECTED_SYSTEM_ERROR |
The plug-in encountered an unexpected system error. A possibility exists that the current system configuration is not supported. | All |