LDAP Return Codes
Updated at September 17th, 2024
Table of Contents
Date: 01-17-2022
Error Codes
Errors for LDAP requests are shown in "STATS" log entries as err=##
Non-Error Results Codes
Several error codes do not indicate an error condition:
success (0)
compareFalse (5)
compareTrue (6)
referral (10)
saslBindInProgress (14)The success, compareTrue, and compareFalse result codes indicate successful completion (and, hence, are referred to as "successful" result codes.)
The referral and saslBindInProgress result codes indicate the client needs to take additional action to complete the operation.
Standard LDAP Error Codes
| Error/ Text | Description |
|---|---|
| 0 LDAP_SUCCESS | The client operation completed successfully. |
| 2 LDAP_PROTOCOL_ERROR | The server received an invalid or malformed request from the client. |
| 3 LDAP_TIMELIMIT_EXCEEDED | The operation's time limit, specified by either the client or the server, has been exceeded. In searches, incomplete results are returned. |
| 4 LDAP_SIZELIMIT_EXCEEDED | In a search operation, the size limit specified by the client or the server has been exceeded. Incomplete results are returned. |
| 5 LDAP_COMPARE_FALSE | Not an error condition. The results of a compare operation are false. |
| 6 LDAP_COMPARE_TRUE | Not error condition. The results of a compare operation are true. |
| 7 LDAP_AUTH_METHOD_NOT_SUPPORTED | BIND requests an authentication method not supported by the LDAP server. |
| 8 LDAP_STRONG_AUTH_REQUIRED | Indicates one of the following: For BIND requests, the LDAP server only accepts strong authentication. In a client request, the client requested an operation such as delete that requires strong authentication. In an unsolicited notice of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised. |
| 10 LDAP_REFERRAL | Not an error condition. In LDAPv3, says that the server does not have the target entry of the request, but that the servers in the referral field may. |
| 11 LDAP_ADMINLIMIT_EXCEEDED | An LDAP server limit set by an administrator was exceeded. |
| 12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION | Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type. |
| 13 LDAP_CONFIDENTIALITY_REQUIRED | Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality. |
| 14 LDAP_SASL_BIND_IN_PROGRESS | Does not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL mechanism to continue the process. |
| 16 LDAP_NO_SUCH_ATTRIBUTE | Indicates that the attribute specified in the modify or compare operation does not exist in the entry. |
| 17 LDAP_UNDEFINED_TYPE | Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema. |
| 18 LDAP_INAPPROPRIATE_MATCHING | Indicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax. |
| 19 LDAP_CONSTRAINT_VIOLATION | Indicates that the attribute value specified in a modify, add, or modify DN operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary). |
| 20 LDAP_TYPE_OR_VALUE_EXISTS | Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute. |
| 21 LDAP_INVALID_SYNTAX | Indicates that the attribute value specified in an add, compare, or modify operation is an unrecognized or invalid syntax for the attribute. |
| 32 LDAP_NO_SUCH_OBJECT | Indicates the target object cannot be found. This code is not returned on following operations: Search operations that find the search base but cannot find any entries that match the search filter. Bind operations. |
| 33 LDAP_ALIAS_PROBLEM | Indicates that an error occurred when an alias was dereferenced. |
| 34 LDAP_INVALID_DN_SYNTAX | Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns code 53: LDAP_UNWILLING_TO_PERFORM.) |
| 35 LDAP_IS_LEAF | Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.) |
| 36 LDAP_ALIAS_DEREF_PROBLEM | Indicates that during a search operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed. |
| 48 LDAP_INAPPROPRIATE_AUTH | Indicates that during a bind operation, the client is attempting to use an authentication method that the client cannot use correctly. For example, either of the following cause this error: The client returns simple credentials when strong credentials are required...OR...The client returns a DN and a password for a simple bind when the entry does not have a password defined. |
| 49 LDAP_INVALID_CREDENTIALS | Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password, or the password is incorrect because it has expired, intruder detection has locked the account, or another similar reason. See the data code for more information. |
| 50 LDAP_INSUFFICIENT_ACCESS | Indicates that the caller does not have sufficient rights to perform the requested operation. |
| 51 LDAP_BUSY | Indicates that the LDAP server is too busy to process the client request at this time but if the client waits and resubmits the request, the server may be able to process it then. |
| 52 LDAP_UNAVAILABLE | Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down. |
| 53 LDAP_UNWILLING_TO_PERFORM | Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons: The add entry request violates the server's structure rules...OR...The modify attribute request specifies attributes that users cannot modify...OR...Password restrictions prevent the action...OR...Connection restrictions prevent the action. |
| 54 LDAP_LOOP_DETECT | Indicates that the client discovered an alias or referral loop, and is thus unable to complete this request. |
| 64 LDAP_NAMING_VIOLATION | Indicates that the add or modify DN operation violates the schema's structure rules. For example, The request places the entry subordinate to an alias. The request places the entry subordinate to a container that is forbidden by the containment rules. The RDN for the entry uses a forbidden attribute type. |
| 65 LDAP_OBJECT_CLASS_VIOLATION | Indicates that the add, modify, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error: The add or modify operation tries to add an entry without a value for a required attribute. The add or modify operation tries to add an entry with a value for an attribute which the class definition does not contain. The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute as required. |
| 66 LDAP_NOT_ALLOWED_ON_NONLEAF | Indicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error: The client requests a delete operation on a parent entry. The client request a modify DN operation on a parent entry. |
| 67 LDAP_NOT_ALLOWED_ON_RDN | Indicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name. |
| 68 LDAP_ALREADY_EXISTS | Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists. |
| 69 LDAP_NO_OBJECT_CLASS_MODS | Indicates that the modify operation attempted to modify the structure rules of an object class. |
| 70 LDAP_RESULTS_TOO_LARGE | Reserved for CLDAP. |
| 71 LDAP_AFFECTS_MULTIPLE_DSAS | Indicates that the modify DN operation moves the entry from one LDAP server to another and requires more than one LDAP server. |
| 80 LDAP_OTHER | Indicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes. |
AD-Related Code Error 49
There are several common LDAP error codes which indicate an issue with the fields being specified when attempting to configure AD LDAP external authentication. Example:
Error executing command. Failure: 400 Bad Request. Server message: Failed to verify configuration configuration-name: An authentication error occurred while accessing the naming or directory service: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]The example AD-specific error code is listed above (52e.) The following list contains some common codes and their meaning:
525 - user not found; indicates an Active Directory (AD) 525 AcceptSecurityContext data error that is returned when the username is invalid.
52e - invalid credentials; indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49: LDAP_INVALID_CREDENTIALS.
530 - not permitted to logon at this time; indicates an Active Directory (AD) 530 AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on at this time. Returns only when presented with a valid username and valid password credential.
531 - not permitted to logon at this workstation; indicates an Active Directory (AD) 531 AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.
532 - password expired; indicates an Active Directory (AD) 532 AcceptSecurityContext data error that is a logon failure. The specified account password has expired. Returns only when presented with valid username and password credential.
533 - account disabled; indicates an Active Directory (AD) 533 AcceptSecurityContext data error that is a logon failure. The account is currently disabled. Returns only when presented with valid username and password credential.
534 - user has not been granted the requested logon type at this machine; when the local security policy does not allow the user to log on in the requested fashion, event 534 is generated. This event gets generated on the server or workstation where the user failed to logon.
568 - user's security context accumulated too many security IDs; this behavior occurs because Windows systems contain a limit that prevents a user's security access token from containing more than 1,000 security identifiers (SIDs). This means that when a user is being validated for access rights to establish a new session with a server, that user must not be a member of more than 1,000 groups in that server's domain.
701 - account has expired; indicates an Active Directory (AD) 701 AcceptSecurityContext data error that is a logon failure. The user's account has expired. Returns only when presented with valid username and password credential.
773 - user must reset password; indicates an Active Directory (AD) 773 AcceptSecurityContext data error. The user's password must be changed before logging on the first time. Returns only when presented with valid user-name and password credential.
775 - user account locked; indicates that a user account is locked out in AD and cannot be logged into.