LDAP return codes
If errors occur in the LDAP server during a client request, a return code is returned as part of the operations response. The return codes that are returned by the z/OS® LDAP server on client requests are documented in /usr/include/ldap.h. However, only a subset of the documented return codes in ldap.h is allowed to be returned by the z/OS LDAP server. When an error occurs in the LDAP server, more specific information about the error is returned to the client application in the reason code message. See LDAP reason codes for information about the reason codes.
Table 1 summarizes return codes in the ldap.h file which
the z/OS LDAP server issues when processing client requests.
Some return codes in Table 1 and other return codes that are documented in the
ldap.h file, but not found in Table 1, are returned by the
LDAP C client programming routines.
| #define in ldap.h file | LDAP return code decimal (hexadecimal) | LDAP return code description |
|---|---|---|
| LDAP_SUCCESS | 0 (0x00) | The operation is successful. |
| LDAP_OPERATIONS_ERROR | 1 (0x01) | An internal operations error occurred in the LDAP server. |
| LDAP_PROTOCOL_ERROR | 2 (0x02) | The LDAP server encountered an LDAP client request that is not a valid LDAP message. Verify that the LDAP client request messages are encoded properly. |
| LDAP_TIMELIMIT_EXCEEDED | 3 (0x03) | The time limit for the search request has been exceeded. See Customizing the LDAP server configuration about the timelimit option for more information about how time limits are processed in the LDAP server. |
| LDAP_SIZELIMIT_EXCEEDED | 4 (0x04) | The size limit on the search request has been exceeded. See the Customizing the LDAP server configuration about the sizelimit option for more information about how size limits are processed in the LDAP server. |
| LDAP_COMPARE_FALSE | 5 (0x05) | The attribute value specified for the attribute type on the compare request does not exist in the entry. |
| LDAP_COMPARE_TRUE | 6 (0x06) | The attribute value specified for the attribute type on the compare request does exist in the entry. |
| LDAP_STRONG_AUTH_NOT_SUPPORTED | 7 (0x07) | The requested authentication mechanism is not supported by the z/OS LDAP server. The bind mechanisms supported by the z/OS LDAP server are: anonymous, simple, CRAM-MD5, DIGEST-MD5, GSSAPI (Kerberos), and SASL EXTERNAL. |
| LDAP_STRONG_AUTH_REQUIRED | 8 (0x08) | Not currently returned by the z/OS LDAP server. |
| LDAP_PARTIAL_RESULTS | 9 (0x09) | The LDAP server encountered an error while processing an LDAP Version 2 search request and a referral entry was encountered. This return code is used to indicate that not all search results have been obtained because LDAP version 2 client applications do not follow referrals automatically. |
| LDAP_REFERRAL | 10 (0x0A) | The LDAP server encountered a referral while processing a search request. The client application may follow the referral to another LDAP server to process the remainder of the request. |
| LDAP_ADMIN_LIMIT_EXCEEDED | 11 (0x0B) | Not currently returned by the z/OS LDAP server. |
|
LDAP_UNAVAILABLE_CRITICAL_
EXTENSION |
12 (0x0C) |  An LDAP operation failed because it includes a critical control
that the LDAP does not support. Possible reasons for this are:
 |
| LDAP_CONFIDENTIALITY_REQUIRED | 13 (0x0D) | A control specified on an LDAP client request had the control criticality set to true however the server does not recognize the control or the control is not appropriate for the operation. If the control is not critical, set the criticality to false to allow the LDAP server to ignore the control if it is always sent on all client requests. See Supported server controls for more information about the supported controls in the z/OS LDAP server. |
| LDAP_SASLBIND_IN_PROGRESS | 14 (0x0E) | A CRAM-MD5, DIGEST-MD5, or GSSAPI (Kerberos) bind is currently in progress. This is a temporary error that occurs on these multi-handshake binds between the client and server. |
| LDAP_NO_SUCH_ATTRIBUTE | 16 (0x10) | An attribute type specified on the LDAP client request does not exist in the entry. Verify that the entry being modified or compared has the attribute that was specified. |
| LDAP_UNDEFINED_TYPE | 17 (0x11) | An attribute specified on the LDAP client request does not exist in the schema of the LDAP. The attribute must be added to the LDAP server's schema so that it can be used. |
| LDAP_INAPPROPRIATE_MATCHING | 18 (0x12) | The LDAP server encountered an error during a search request because the search filter is attempting to use a matching rule that is not supported by the attribute type. This can occur while attempting to use an attribute type/value pair in the search filter that has binary syntax. These types of search filters are not supported in the z/OS LDAP server. |
| LDAP_CONSTRAINT_VIOLATION | 19 (0x13) | The LDAP server encountered a constraint error during a client request. This error can occur if an integer value specified on an integer syntax attribute is too large or small, an entry is attempted to be added or modified with an obsoleted objectclass or attribute type, or a non-user modifiable attribute type in the schema. |
| LDAP_TYPE_OR_VALUE_EXISTS | 20 (0x14) | The LDAP server encountered an error during a client request because the attribute type or the attribute type and value pair exist in the targeted entry. |
| LDAP_INVALID_SYNTAX | 21 (0x15) | An attribute value specified on an LDAP client request does not have a valid syntax specified. For example, if an attribute type in the schema has an integer syntax, an integer value must be specified on an add or modify request. |
| LDAP_NO_SUCH_OBJECT | 32 (0x20) | The LDAP server encountered an error during a client request because the target entry does not exist in the directory. |
| LDAP_ALIAS_PROBLEM | 33 (0x21) | The LDAP server encountered an error while attempting to process alias entries on a client request. Verify that there are no alias loops in the directory (for example, alias entries pointing at each other) and that the alias entries are properly configured. See Alias for more information about configuring aliases in the LDAP server. |
| LDAP_INVALID_DN_SYNTAX | 34 (0x22) | The LDAP client request is not allowed because the DN does not have valid syntax. This error can occur on add and modify requests if the distinguished name (DN) is missing an equal sign ('=') between an attribute type and value or the DN does not contain a correct escaping sequence before a multi-byte UTF8 value. |
| LDAP_ALIAS_DEREF_PROBLEM | 36 (0x24) | The LDAP server encountered an error on a search request while attempting to dereference an alias entry however the dereferenced entry does not exist in the directory. Verify that alias entries in the directory point to valid entries in the DIT. |
| LDAP_INAPPROPRIATE_AUTH | 48 (0x30) | The LDAP client request is not allowed because the password (credentials) specified is not correct or the distinguished name of the authenticating user is not correct. Verify that the distinguished name and password of the authenticating user are correct. |
| LDAP_INVALID_CREDENTIALS | 49 (0x31) | The LDAP client request is not allowed because the password (credentials) specified is not correct or the authenticating user's distinguished name is not correct. Verify that the distinguished name and password of the authenticating user are correct. |
| LDAP_INSUFFICIENT_ACCESS | 50 (0x32) | The LDAP client request is not allowed because the authenticated user does not have the appropriate authority to perform the requested operation. Verify that ACLs are configured correctly for the authenticated user or the groups that the authenticated user belongs to. |
| LDAP_BUSY | 51 (0x33) | The LDAP server is currently busy processing another request. |
| LDAP_UNAVAILABLE | 52 (0x34) | The LDAP server is currently not available to process the client request. This error occurs for variety of reasons including Db2® is not available for configured TDBM or GDBM backends, ICSF is not available for password encryption or decryption, and RACF® is not available for the SDBM backend. Verify that products the LDAP server must use to process the request are available. |
| LDAP_UNWILLING_TO_PERFORM | 53 (0x35) | The LDAP server is unwilling to perform the requested LDAP client request. |
| LDAP_LOOP_DETECT | 54 (0x36) | Not currently returned by the z/OS LDAP server. |
| LDAP_NAMING_VIOLATION | 64 (0x40) | The LDAP client request is not allowed because of a distinguished name violation. This error occurs on add requests when the superior entry is a referral or an alias entry. This error also occurs on add and modify requests when the distinguished name (DN) contains an attribute type that has binary syntax, which is not allowed in distinguished names. |
| LDAP_OBJECT_CLASS_VIOLATION | 65 (0x41) | The LDAP client request is not allowed because it does not adhere to the schema of the LDAP server. This error occurs on add, modify, and modify dn requests when adding or modifying an entry in such a way that it does not have all required attribute values for the object class of the entry. |
| LDAP_NOT_ALLOWED_ON_NONLEAF | 66 (0x42) | The LDAP client request is not allowed on a non-leaf node in the directory. This error generally occurs while attempting to delete an entry that has child entries underneath it in the DIT. The leaf or child entries must be deleted before removing this entry from the DIT. |
| LDAP_NOT_ALLOWED_ON_RDN | 67 (0x43) | The LDAP client request is attempting to change a relative distinguished name (RDN) component of a distinguished name (DN) which is not allowed. For example, this can occur when attempting to delete the cn attribute from the DN, cn=yvonne,o=ibm, but the cn attribute value is a required attribute for the object class of the entry. |
| LDAP_ALREADY_EXISTS | 68 (0x44) | The LDAP client request is attempting to add an entry to the LDAP server that exists or attempting to modify the schema to include an attribute type or object class that is already present in the schema. |
| LDAP_NO_OBJECT_CLASS_MODS | 69 (0x45) | Not currently returned by the z/OS LDAP server. |
| LDAP_AFFECTS_MULTIPLE_DSAS | 71 (0x47) | Not currently returned by the z/OS LDAP server. |
| LDAP_OTHER | 80 (0x50) | An internal error occurred in the LDAP server that does not fall under one of the previously documented return codes. It is commonly used for indicating an out of storage error in the LDAP server. |
| LDAP_NO_RESULT_MESSAGE | 248 (0xF8) | The LDAP client received no result message for this request. The server does not send this return code to the client. However, it might indicate this return code in the activity log or in SMF record type 83 subtype 3 audit records when a result message is not sent. This can occur when the request is abandoned by the client, when the client issues an unbind request before the indicated request completes, or when the connection between the client and server is terminated for other reasons. |