mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 12. LDAP Trouble & Errors

OpenLDAP is sometimes criticised for poor error messages and diagnostics. Partly this is due to the generic standardisation of error messages which limits the implementation's ability to be informative and creative (in all fairness they also add a textual element to help pin-point the problem) and partly to the fact that many error messages are reported via clients which can do some serious mangling of any original diagnostics.

The best information comes from OpenLDAP's rather voluminous logging (certainly when using loglevel -1).

We document below some information on reading OpenLDAP's log and the standard LDAP error messages with some hints as to where the possible cause may lie.

Standard LDAP Error Messages

These error messages are defined in RFC 4511 Section 4.1.9, a draft RFC on the LDAP C API (dating from 2000) and inspection of OpenLDAP LDAPResult.h.

Error Name Number Explanation/Causes
LDAP_SUCCESS 0 (x'00) The request was successful.
LDAP_OPERATIONS_ERROR 1 (x'01) An operations error occurred.
LDAP_PROTOCOL_ERROR 2 (x'02) A protocol violation was detected.
LDAP_TIMELIMIT_EXCEEDED 3 (x'03) An LDAP time limit was exceeded.
LDAP_SIZELIMIT_EXCEEDED 4 (x'04) An LDAP size limit was exceeded.
LDAP_COMPARE_FALSE 5 (x'05) A compare operation returned false.
LDAP_COMPARE_TRUE 6 (x'06) A compare operation returned true.
LDAP_STRONG_AUTH_NOT_SUPPORTED 7 (x'07) The LDAP server does not support strong authentication.
LDAP_STRONG_AUTH_REQUIRED 8 (x'08) Strong authentication is required for the operation.
LDAP_PARTIAL_RESULTS 9 (x'09) Partial results only returned.
LDAP_REFERRAL 10 (x'0A) Indicates a LDAP Referral response. The message will include one or more LDAP URLs to which the client should re-direct subsequent operations for this DN.
LDAP_ADMINLIMIT_EXCEEDED 11 (x'0B) Indicates that any limit placed on the number of entries to be searched within the server has been exceeded.
LDAP_UNAVAILABLE_CRITICAL_EXTENSION 12 (x'0C) Indicates that a control or matching rule, requested in the operation, is not supported by this server.
LDAP_CONFIDENTIALITY_REQUIRED 13 (x'0D) The server configuration requires some form of confidentiality (TLS/SSL or SASL) when performing the bind with the provided DN, for example, a global or database security directive may requires some form of SSF during simple_bind, or update operations.
LDAP_SASL_BIND_IN_PROGRESS 14 (x'0E) The server is currently performing a SASL bind and the requested operation is invalid in this context.
15 (x'0F) Unused.
LDAP_NO_SUCH_ATTRIBUTE 16 (x'10) The attribute specified in the request does not exist in the entry.
LDAP_UNDEFINED_TYPE 17 (x'11) The attribute type specified in the request was invalid.
LDAP_INAPPROPRIATE_MATCHING 18 (x'12) Indicates the extensible match filter matching rule is not supported for the specified attribute type.
LDAP_CONSTRAINT_VIOLATION 19 (x'13) An attribute value specified in an operation violates some constraint
Possible causes:
1. string too long
2. wrong type - string written to numeric attribute
2. Invalid value, for example, attribute may take a specific value or one of a set of values
LDAP_TYPE_OR_VALUE_EXISTS 20 (x'14) An attribute type or attribute value specified already exists in the entry.
Possible Causes:
1. Adding entry - one or more attributes in an LDIF (or add/replace operation) for an entry are exactly the same (duplicated)
LDAP_INVALID_SYNTAX 21 (x'15) An invalid attribute value was specified.
22 - 31 (x'16 - x'1F). Unused.
LDAP_NO_SUCH_OBJECT 32 (x'20) The specified entry does not exist in the directory (DIT).
LDAP_ALIAS_PROBLEM 33 (x'21) An alias in the DIT points to a nonexistent entry.
LDAP_INVALID_DN_SYNTAX 34 (x'22) A syntactically invalid DN was specified. May also happen if you use an LDIF format file (dn: cn=xxx etc.) with ldapdelete which only requires a plain DN.
35 (x'23) Reserved and unused in LDAPv3 (LDAPv2: LDAP_IS_LEAF The object specified is a leaf)
LDAP_ALIAS_DEREF_PROBLEM 36 (x'24) A problem was encountered when dereferencing an alias. See also 33.
37 - 47 (x'25 - x'2F). Unused.
LDAP_INAPPROPRIATE_AUTH 48 (x'30) Inappropriate authentication was specified, for example, LDAP_AUTH_SIMPLE was specified and the entry does not have a userPassword attribute.
LDAP_INVALID_CREDENTIALS 49 (x'31) Invalid credentials were presented, for example, the wrong password
Additional text: unable to get TLS Client DN
Possible Cause:
1. No client certificate when TLSVerifyClient is 'demand'
2. No client certificate when TLSVerifyClient is 'never' in which case the error message is not fatal and service continues.
LDAP_INSUFFICIENT_ACCESS 50 (x'32) The user has insufficient access to perform the operation.
LDAP_BUSY 51 (x'33) The server (DSA) is too busy to perform the requested operation.
LDAP_UNAVAILABLE 52 (x'34) The DSA is unavailable, for example, it may be halted, paused or initialising.
LDAP_UNWILLING_TO_PERFORM 53 (x'35) The server (DSA) is unwilling to perform the operation.
Additional text: no global superior knowledge - the name that is being added or modified does not exist in any naming context or does not have a valid referral.
Possible cause:
1. no olcSuffix attribute (or no suffix directive in slapd.conf) for the referenced DIT
Additional Text: Shadow context; no update referral - the DIT being updated is a replica in read only mode and the absence of an updateref directive means a referral cannot be returned.
Possible Causes:
1. A write had been attempted to a read-only replica (the consumer in a syncrepl configuration is always read-only).
2. In a multi-master syncrepl configuration mirrormode true may be missing from the slapd.conf file. 3. If slapd was loaded using a slapd.conf file and a slapd.d directory (cn=config) also exists them subsequent modifications to a DIT can fail with this message. FreeBSD in particular needs an explicit entry in rc.conf (slapd_cn_config="YES") to force use of slapd.d.
LDAP_LOOP_DETECT 54 (x'36) A loop was detected.
54 - 59 (x'37 - x'3B). Unused.
LDAP_SORT_CONTROL_MISSING 60 (x'3C) Unused in standards. Sun LDAP Directory Server only. Server did not receive a required server-side sorting control.
LDAP_RANGE_INDEX_ERROR 61 (x'3D) Unused in standards. Sun LDAP Directory Server only. The search results exceeded the range specified by the requested offsets.
62 - 63 (x'3E - x'3F). Unused.
LDAP_NAMING_VIOLATION 64 (x'40) Indicates the rquest contained a naming violation within the current DIT.
LDAP_OBJECT_CLASS_VIOLATION 65 (x'41) An object class violation occurred when using the current schema, for example, a "must" attribute was missing when adding an entry.
LDAP_NOT_ALLOWED_ON_NONLEAF 66 (x'42) The operation is not allowed on a nonleaf (one that has child entries) entry.
LDAP_NOT_ALLOWED_ON_RDN 67 (x'43) The operation is not allowed on an RDN, for example, deleting an attribute that is used as an RDN within the DN.
LDAP_ALREADY_EXISTS 68 (x'44) The entry already exists in this DIT.
LDAP_NO_OBJECT_CLASS_MODS 69 (x'45) Object class modifications are not allowed.
LDAP_RESULTS_TOO_LARGE 70 (x'46) C API (draft) only. Results too large to be contained in this message.
LDAP_AFFECTS_MULTIPLE_DSAS 71 (x'47) Indicates the operation needs to be performed on multiple servers (DSAs) and this is not permitted.
72 - 79 (x'48 - x'4F). Unused.
LDAP_OTHER 80 (x'50) An unknown error occurred.
Possible Cause:
Attempting to delete an attribute (especially in cn=config) that is not permitted
Additional text:
olcDbDirectory: value #0: invalid path: No such file or directory Possible Cause:
The path for the database must exist before inializing a new database.
LDAP_SERVER_DOWN 81 (x'51) C API (draft) only. The LDAP library can't contact the LDAP server.
LDAP_LOCAL_ERROR 82 (x'52) C API (draft) only. Some local error occurred. This is usually a failed dynamic memory allocation.
LDAP_ENCODING_ERROR 83 (x'53) C API (draft) only. An error was encountered encoding parameters to send to the LDAP server.
LDAP_DECODING_ERROR 84 (x'54) C API (draft) only. An error was encountered decoding a result from the LDAP server.
LDAP_TIMEOUT 85 (x'55) C API (draft) only. A timelimit was exceeded while waiting for a result.
LDAP_AUTH_UNKNOWN 86 (x'56) C API (draft) only. The authentication method specified to ldap_bind() is not known.
LDAP_FILTER_ERROR 87 (x'57) C API (draft) only. An invalid filter was supplied to ldap_search() (for instance, unbalanced parentheses).
LDAP_USER_CANCELLED 88 (x'58) C API (draft) only. Indicates the user canceled the requested operation.
LDAP_PARAM_ERROR 89 (x'59) C API (draft) only. An ldap routine was called with a bad parameter.
LDAP_NO_MEMORY 90 (x'5A) C API (draft) only. An memory allocation (e.g., malloc(3) or other dynamic memory allocator) call failed in an ldap library routine.
LDAP_CONNECT_ERROR 91 (x'5B) C API (draft) only. A Library/Client cannot connect to an LDAP server defined in a URL.
LDAP_NOT_SUPPORTED 92 (x'5C) C API (draft) only. Indicates request uses feature not supported by this server.
LDAP_CONTROL_NOT_FOUND 93 (x'5D) C API (draft) only. A requested control control was not found on this server.
LDAP_NO_RESULTS_RETURNED 94 (x'5E) C API (draft) only. The requested operation was successful but no results were returned (obtained).
LDAP_MORE_RESULTS_TO_RETURN 95 (x'5F) C API (draft) only. The requested operation was succesful but more results need to be returned than could fit in the current message.
LDAP_CLIENT_LOOP 96 (x'60) C API (draft) only. Client detected a loop, for example, following referrals.
LDAP_REFERRAL_LIMIT_EXCEEDED 97 (x'61) C API (draft) only. The server or client exceeded any defined referral limit.

Up Arrow

OpenLDAP Log

This section shows some annotated OpenLDAP logs. Lines beginning # are comments inserted for the purposes of annotation and would not be present in a normal log.

Up Arrow

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.


tech info
guides home
1 objectives
big picture
2 concepts
3 ldap objects
4 install ldap
5 samples
6 configuration
7 replica & refer
8 ldif
9 protocol
10 ldap api
11 howtos
12 trouble
13 performance
14 ldap tools
15 security
notes & info
ldap resources
rfc's & x.500
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




share page via facebook tweet this page


email us Send to a friend feature print this page Decrease font size Increase font size Display full width page



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: May 12 2016.