LDAP return codes

If errors occur in the LDAP server during a client request, a return code is returned as part of the operations response. The return codes that are returned by the z/OS® LDAP server on client requests are documented in /usr/include/ldap.h. However, only a subset of the documented return codes in ldap.h is allowed to be returned by the z/OS LDAP server. When an error occurs in the LDAP server, more specific information about the error is returned to the client application in the reason code message. See LDAP reason codes for information about the reason codes.

Table 1 summarizes these return codes in the ldap.h file. All other return codes that are documented in the ldap.h file are returned by the LDAP C client routines.

Table 1. LDAP server return codes
#define in ldap.h file	LDAP return code decimal (hexadecimal)	LDAP return code description
LDAP_SUCCESS	0 (0x00)	The operation is successful.
LDAP_OPERATIONS_ERROR	1 (0x01)	An internal operations error occurred in the LDAP server.
LDAP_PROTOCOL_ERROR	2 (0x02)	The LDAP server encountered an LDAP client request that is not a valid LDAP message. Verify that the LDAP client request messages are encoded properly.
LDAP_TIMELIMIT_EXCEEDED	3 (0x03)	The time limit for the search request has been exceeded. See about the timelimit option for more information about how time limits are processed in the LDAP server.
LDAP_SIZELIMIT_EXCEEDED	4 (0x04)	The size limit on the search request has been exceeded. See the about the sizelimit option for more information about how size limits are processed in the LDAP server.
LDAP_COMPARE_FALSE	5 (0x05)	The attribute value specified for the attribute type on the compare request does not exist in the entry.
LDAP_COMPARE_TRUE	6 (0x06)	The attribute value specified for the attribute type on the compare request does exist in the entry.
LDAP_STRONG_AUTH_NOT_SUPPORTED	7 (0x07)	The requested authentication mechanism is not supported by the z/OS LDAP server. The bind mechanisms supported by the z/OS LDAP server are: anonymous, simple, CRAM-MD5, DIGEST-MD5, GSSAPI (Kerberos), and SASL EXTERNAL.
LDAP_STRONG_AUTH_REQUIRED	8 (0x08)	Not currently returned by the z/OS LDAP server.
LDAP_PARTIAL_RESULTS	9 (0x09)	The LDAP server encountered an error while processing an LDAP Version 2 search request and a referral entry was encountered. This return code is used to indicate that not all search results have been obtained because LDAP version 2 client applications do not follow referrals automatically.
LDAP_REFERRAL	10 (0x0A)	The LDAP server encountered a referral while processing a search request. The client application may follow the referral to another LDAP server to process the remainder of the request.
LDAP_ADMIN_LIMIT_EXCEEDED	11 (0x0B)	Not currently returned by the z/OS LDAP server.
LDAP_UNAVAILABLE_CRITICAL_ EXTENSION	12 (0x0C)	Not currently returned by the z/OS LDAP server.
LDAP_CONFIDENTIALITY_REQUIRED	13 (0x0D)	A control specified on an LDAP client request had the control criticality set to true however the server does not recognize the control or the control is not appropriate for the operation. If the control is not critical, set the criticality to false to allow the LDAP server to ignore the control if it is always sent on all client requests. See Supported server controls for more information about the supported controls in the z/OS LDAP server.
LDAP_SASLBIND_IN_PROGRESS	14 (0x0E)	A CRAM-MD5, DIGEST-MD5, or GSSAPI (Kerberos) bind is currently in progress. This is a temporary error that occurs on these multi handshake binds between the client and server.
LDAP_NO_SUCH_ATTRIBUTE	16 (0x10)	An attribute type specified on the LDAP client request does not exist in the entry. Verify that the entry being modified or compared has the attribute that was specified.
LDAP_UNDEFINED_TYPE	17 (0x11)	An attribute specified on the LDAP client request does not exist in the schema of the LDAP. The attribute must be added to the LDAP server's schema so that it can be used.
LDAP_INAPPROPRIATE_MATCHING	18 (0x12)	The LDAP server encountered an error during a search request because the search filter is attempting to use a matching rule that is not supported by the attribute type. This can occur while attempting to use an attribute type/value pair in the search filter that has binary syntax. These types of search filters are not supported in the z/OS LDAP server.
LDAP_CONSTRAINT_VIOLATION	19 (0x13)	The LDAP server encountered a constraint error during a client request. This error can occur if an integer value specified on an integer syntax attribute is too large or small, an entry is attempted to be added or modified with an obsoleted objectclass or attribute type, or a non-user modifiable attribute type in the schema.
LDAP_TYPE_OR_VALUE_EXISTS	20 (0x14)	The LDAP server encountered an error during a client request because the attribute type or the attribute type and value pair exist in the targeted entry.
LDAP_INVALID_SYNTAX	21 (0x15)	An attribute value specified on an LDAP client request does not have a valid syntax specified. For example, if an attribute type in the schema has an integer syntax, an integer value must be specified on an add or modify request.
LDAP_NO_SUCH_OBJECT	32 (0x20)	The LDAP server encountered an error during a client request because the target entry does not exist in the directory.
LDAP_ALIAS_PROBLEM	33 (0x21)	The LDAP server encountered an error while attempting to process alias entries on a client request. Verify that there are no alias loops in the directory (for example, alias entries pointing at each other) and that the alias entries are properly configured. See Alias for more information about configuring aliases in the LDAP server.
LDAP_INVALID_DN_SYNTAX	34 (0x22)	The LDAP client request is not allowed because the DN does not have valid syntax. This error can occur on add and modify requests if the distinguished name (DN) is missing an equal sign ('=') between an attribute type and value or the DN does not contain a correct escaping sequence before a multi-byte UTF8 value.
LDAP_ALIAS_DEREF_PROBLEM	36 (0x24)	The LDAP server encountered an error on a search request while attempting to dereference an alias entry however the dereferenced entry does not exist in the directory. Verify that alias entries in the directory point to valid entries in the DIT.
LDAP_INAPPROPRIATE_AUTH	48 (0x30)	The LDAP client request is not allowed because the password (credentials) specified is not correct or the distinguished name of the authenticating user is not correct. Verify that the distinguished name and password of the authenticating user are correct.
LDAP_INVALID_CREDENTIALS	49 (0x31)	The LDAP client request is not allowed because the password (credentials) specified is not correct or the authenticating user's distinguished name is not correct. Verify that the distinguished name and password of the authenticating user are correct.
LDAP_INSUFFICIENT_ACCESS	50 (0x32)	The LDAP client request is not allowed because the authenticated user does not have the appropriate authority to perform the requested operation. Verify that ACLs are configured correctly for the authenticated user or the groups that the authenticated user belongs to.
LDAP_BUSY	51 (0x33)	The LDAP server is currently busy processing another request.
LDAP_UNAVAILABLE	52 (0x34)	The LDAP server is currently not available to process the client request. This error occurs for variety of reasons including DB2® is not available for configured TDBM or GDBM backends, ICSF is not available for password encryption or decryption, and RACF® is not available for the SDBM backend. Verify that products the LDAP server must use to process the request are available.
LDAP_UNWILLING_TO_PERFORM	53 (0x35)	The LDAP server is unwilling to perform the requested LDAP client request.
LDAP_LOOP_DETECT	54 (0x36)	Not currently returned by the z/OS LDAP server.
LDAP_NAMING_VIOLATION	64 (0x40)	The LDAP client request is not allowed because of a distinguished name violation. This error occurs on add requests when the superior entry is a referral or an alias entry. This error also occurs on add and modify requests when the distinguished name (DN) contains an attribute type that has binary syntax, which is not allowed in distinguished names.
LDAP_OBJECT_CLASS_VIOLATION	65 (0x41)	The LDAP client request is not allowed because it does not adhere to the schema of the LDAP server. This error occurs on add, modify, and modify dn requests when adding or modifying an entry in such a way that it does not have all required attribute values for the object class of the entry.
LDAP_NOT_ALLOWED_ON_NONLEAF	66 (0x42)	The LDAP client request is not allowed on a non-leaf node in the directory. This error generally occurs while attempting to delete an entry that has child entries underneath it in the DIT. The leaf or child entries must be deleted before removing this entry from the DIT.
LDAP_NOT_ALLOWED_ON_RDN	67 (0x43)	The LDAP client request is attempting to change a relative distinguished name (RDN) component of a distinguished name (DN) which is not allowed. For example, this can occur when attempting to delete the cn attribute from the DN, cn=yvonne,o=ibm, but the cn attribute value is a required attribute for the object class of the entry.
LDAP_ALREADY_EXISTS	68 (0x44)	The LDAP client request is attempting to add an entry to the LDAP server that exists or attempting to modify the schema to include an attribute type or object class that is already present in the schema.
LDAP_NO_OBJECT_CLASS_MODS	69 (0x45)	Not currently returned by the z/OS LDAP server.
LDAP_AFFECTS_MULTIPLE_DSAS	71 (0x47)	Not currently returned by the z/OS LDAP server.
LDAP_OTHER	80 (0x50)	An internal error occurred in the LDAP server that does not fall under one of the previously documented return codes. It is commonly used for indicating an out of storage error in the LDAP server.