{scrollbar}

This data structure contains some information about the result of an operation.

It's defined following the LDAP RFC 4511 definition :

LDAPResult ::= SEQUENCE { resultCode ENUMERATED { success (0), operationsError (1), protocolError (2), timeLimitExceeded (3), sizeLimitExceeded (4), compareFalse (5), compareTrue (6), authMethodNotSupported (7), strongerAuthRequired (8), -- 9 reserved -- referral (10), adminLimitExceeded (11), unavailableCriticalExtension (12), confidentialityRequired (13), saslBindInProgress (14), noSuchAttribute (16), undefinedAttributeType (17), inappropriateMatching (18), constraintViolation (19), attributeOrValueExists (20), invalidAttributeSyntax (21), -- 22-31 unused -- noSuchObject (32), aliasProblem (33), invalidDNSyntax (34), -- 35 reserved for undefined isLeaf -- aliasDereferencingProblem (36), -- 37-47 unused -- inappropriateAuthentication (48), invalidCredentials (49), insufficientAccessRights (50), busy (51), unavailable (52), unwillingToPerform (53), loopDetect (54), -- 55-63 unused -- namingViolation (64), objectClassViolation (65), notAllowedOnNonLeaf (66), notAllowedOnRDN (67), entryAlreadyExists (68), objectClassModsProhibited (69), -- 70 reserved for CLDAP -- affectsMultipleDSAs (71), -- 72-79 unused -- other (80), ... }, matchedDN LDAPDN, diagnosticMessage LDAPString, referral [3] Referral OPTIONAL }

In other words, it holds :

  • a resultCode (a ResultCodeEnum)
  • a matchedDN (Dn)
  • an diagnosticMessage (String)
  • an optional referral (list of LdapUrls) if the result code is referral

This data structure is usually created using the information returned by the server. Usually, one just access those information to know if the operation has been successful or not.

API

The API is pretty obvious : we have setters and getters.

Getters

We have five of them :

  • getDiagnosticMessage() : Returns the diagnostic message. This message may vary from one server to another, it's purely informative
  • getMatchedDn() : Get the Dn of the last entry that matches this Dn
  • getReferral() : If the resultCode is Referral, a list of LdapUrls
  • getResultCode() : The operation result
  • isReferral() : tells if the response is a Referral

Setters

Again, we have a setter per field :

  • setDiagnosticMessage( String message ) : Sets the diagnostic message
  • setMatchedDn(Dn) : Sets the Dn of the last entry that matches this Dn;
  • setReferral(Referral) : If the resultCode is Referral, sets a list of LdapUrls;
  • setResultCode(ResultCodeEnum) : The operation result

ResultCodeEnum

We use an enum to list all the error codes. Here is the possible values :

java /** * It is returned when the client operation completed successfully without * errors. This code is one of 5 result codes that may be returned in the * LDAPResult which are not used to indicate an error. Applicable * operations: all except for Compare. Result code type: Non-Erroneous */ SUCCESS( 0, "success" ), /** * Servers sends this result code to LDAP v2 clients to refer them to * another LDAP server. When sending this code to a client, the server * includes a newline-delimited list of LDAP URLs that identify another LDAP * server. If the client identifies itself as an LDAP v3 client in the * request, servers send an REFERRAL result code instead of this result * code. */ PARTIAL_RESULTS( 9, "partialResults" ), /** * It is used to indicate that the result of a Compare operation is FALSE * and does not indicate an error. 1 of 5 codes that do not indicate an * error condition. Applicable operations: Compare. Result code type: * Non-Erroneous */ COMPARE_FALSE( 5, "compareFalse" ), /** * It is used to indicate that the result of a Compare operation is TRUE and * does not indicate an error. 1 of 5 codes that do not indicate an error * condition. Applicable operations: Compare. Result code type: * Non-Erroneous */ COMPARE_TRUE( 6, "compareTrue" ), /** * Rather than indicating an error, this result code is used to indicate * that the server does not hold the target entry of the request but is able * to provide alternative servers that may. A set of server(s) URLs may be * returned in the referral field, which the client may subsequently query * to attempt to complete their operation. 1 of 5 codes that do not indicate * an error condition yet requires further action on behalf of the client to * complete the request. This result code is new in LDAPv3. Applicable * operations: all. Result code type: Non-Erroneous */ REFERRAL( 10, "referral" ), /** * This result code is not an error response from the server, but rather, is * a request for bind continuation. The server requires the client to send a * new bind request, with the same SASL mechanism, to continue the * authentication process [RFC2251, Section 4.2.3]. This result code is new * in LDAPv3. Applicable operations: Bind. Result code type: Non-Erroneous */ SASL_BIND_IN_PROGRESS( 14, "saslBindInProgress" ), // ------------------------------------------------------------------------ // Problem Specific Error Codes: // // Specific errors are used to indicate that a particular type of error // has occurred. These error types are Name, Update, Attribute, Security, // and Service. // ------------------------------------------------------------------------ // ------------------------------------------------------------------------ // Security Problem Specific Error Codes: // // A security error reports a problem in carrying out an operation for // security reasons [X511, Section 12.7]. // ------------------------------------------------------------------------ /** * This error code should be returned if the client requests, in a Bind * request, an authentication method which is not supported or recognized by * the server. Applicable operations: Bind. Result code type: Specific * (Security) */ AUTH_METHOD_NOT_SUPPORTED( 7, "authMethodNotSupported" ), /** * This error may be returned on a bind request if the server only accepts * strong authentication or it may be returned when a client attempts an * operation which requires the client to be strongly authenticated - for * example Delete. This result code may also be returned in an unsolicited * notice of disconnection if the server detects that an established * underlying security association protecting communication between the * client and server has unexpectedly failed or been compromised. [RFC2251, * Section 4.4.1] Applicable operations: all. Result code type: Specific * (Security) */ STRONG_AUTH_REQUIRED( 8, "strongAuthRequired" ), /** * This error code may be returned if the session is not protected by a * protocol which provides session confidentiality. For example, if the * client did not establish a TLS connection using a cipher suite which * provides confidentiality of the session before sending any other * requests, and the server requires session confidentiality then the server * may reject that request with a result code of confidentialityRequired. * This error code is new in LDAPv3. Applicable operations: all. Result code * type: Specific (Security) */ CONFIDENTIALITY_REQUIRED( 13, "confidentialityRequired" ), /** * An alias was encountered in a situation where it was not allowed or where * access was denied [X511, Section 12.5]. For example, if the client does * not have read permission for the aliasedObjectName attribute and its * value then the error aliasDereferencingProblem should be returned. [X511, * Section 7.11.1.1] Notice that this error has similar meaning to * INSUFFICIENT_ACCESS_RIGHTS (50), but is specific to Searching on an alias. * Applicable operations: Search. Result code type: Specific (Security) */ ALIAS_DEREFERENCING_PROBLEM( 36, "aliasDereferencingProblem" ), /** * This error should be returned by the server when the client has tried to * use a method of authentication that is inappropriate, that is a method of * authentication which the client is unable to use correctly. In other * words, the level of security associated with the requestor's credentials * is inconsistent with the level of protection requested, e.g. simple * credentials were supplied while strong credentials were required [X511, * Section 12.7]. Applicable operations: Bind. Result code type: Specific * (Security) */ INAPPROPRIATE_AUTHENTICATION( 48, "inappropriateAuthentication" ), /** * This error code is returned if the Dn or password used in a simple bind * operation is incorrect, or if the Dn or password is incorrect for some * other reason, e.g. the password has expired. This result code only * applies to Bind operations -- it should not be returned for other * operations if the client does not have sufficient permission to perform * the requested operation - in this case the return code should be * insufficientAccessRights. Applicable operations: Bind. Result code type: * Specific (Security) */ INVALID_CREDENTIALS( 49, "invalidCredentials" ), /** * The requestor does not have the right to carry out the requested * operation [X511, Section 12.7]. Note that the more specific * aliasDereferencingProblem is returned in case of a Search on an alias * where the requestor has insufficientAccessRights. Applicable operations: * all except for Bind. Result code type: Specific (Security) */ INSUFFICIENT_ACCESS_RIGHTS( 50, "insufficientAccessRights" ), // ------------------------------------------------------------------------ // Service Problem Specific Error Codes: // // A service error reports a problem related to the provision of the // service [X511, Section 12.8]. // ------------------------------------------------------------------------ /** * If the server requires that the client bind before browsing or modifying * the directory, the server MAY reject a request other than binding, * unbinding or an extended request with the "operationsError" result. * [RFC2251, Section 4.2.1] Applicable operations: all except Bind. Result * code type: Specific (Service) */ OPERATIONS_ERROR( 1, "operationsError" ), /** * A protocol error should be returned by the server when an invalid or * malformed request is received from the client. This may be a request that * is not recognized as an LDAP request, for example, if a nonexistent * operation were specified in LDAPMessage. As well, it may be the result of * a request that is missing a required parameter, such as a search filter * in a search request. If the server can return an error, which is more * specific than protocolError, then this error should be returned instead. * For example if the server does not recognize the authentication method * requested by the client then the error authMethodNotSupported should be * returned instead of protocolError. The server may return details of the * error in the error string. Applicable operations: all. Result code type: * Specific (Service) */ PROTOCOL_ERROR( 2, "protocolError" ), /** * This error should be returned when the time to perform an operation has * exceeded either the time limit specified by the client (which may only be * set by the client in a search operation) or the limit specified by the * server. If the time limit is exceeded on a search operation then the * result is an arbitrary selection of the accumulated results [X511, * Section 7.5]. Note that an arbitrary selection of results may mean that * no results are returned to the client. If the LDAP server is a front end * for an X.500 server, any operation that is chained may exceed the * timelimit, therefore clients can expect to receive timelimitExceeded for * all operations. For stand alone LDAP- Servers that do not implement * chaining it is unlikely that operations other than search operations will * exceed the defined timelimit. Applicable operations: all. Result code * type: Specific (Service) */ TIME_LIMIT_EXCEEDED( 3, "timeLimitExceeded" ), /** * This error should be returned when the number of results generated by a * search exceeds the maximum number of results specified by either the * client or the server. If the size limit is exceeded then the results of a * search operation will be an arbitrary selection of the accumulated * results, equal in number to the size limit [X511, Section 7.5]. * Applicable operations: Search. Result code type: Specific (Service) */ SIZE_LIMIT_EXCEEDED( 4, "sizeLimitExceeded" ), /** * The server has reached some limit set by an administrative authority, and * no partial results are available to return to the user [X511, Section * 12.8]. For example, there may be an administrative limit to the number of * entries a server will check when gathering potential search result * candidates [Net]. This error code is new in LDAPv3. Applicable * operations: all. Result code type: Specific (Service) */ ADMIN_LIMIT_EXCEEDED( 11, "adminLimitExceeded" ), /** * The server was unable to satisfy the request because one or more critical * extensions were not available [X511, Section 12.8]. This error is * returned, for example, when a control submitted with a request is marked * critical but is not recognized by a server or when such a control is not * appropriate for the operation type. [RFC2251 section 4.1.12]. This error * code is new in LDAPv3. Applicable operations: all. Result code type: * Specific (Service) */ UNAVAILABLE_CRITICAL_EXTENSION( 12, "unavailableCriticalExtension" ), /** * This error code may be returned if the server is unable to process the * client's request at this time. This implies that if the client retries * the request shortly the server will be able to process it then. * Applicable operations: all. Result code type: Specific (Service) */ BUSY( 51, "busy" ), /** * This error code is returned when the server is unavailable to process the * client's request. This usually means that the LDAP server is shutting * down [RFC2251, Section 4.2.3]. Applicable operations: all. Result code * type: Specific (Service) */ UNAVAILABLE( 52, "unavailable" ), /** * This error code should be returned by the server when a client request is * properly formed but which the server is unable to complete due to * server-defined restrictions. For example, the server, or some part of it, * is not prepared to execute this request, e.g. because it would lead to * excessive consumption of resources or violates the policy of an * Administrative Authority involved [X511, Section 12.8]. If the server is * able to return a more specific error code such as adminLimitExceeded it * should. This error may also be returned if the client attempts to modify * attributes which can not be modified by users, e.g., operational * attributes such as creatorsName or createTimestamp [X511, Section 7.12]. * If appropriate, details of the error should be provided in the error * message. Applicable operations: all. Result code type: Specific (Service) */ UNWILLING_TO_PERFORM( 53, "unwillingToPerform" ), /** * This error may be returned by the server if it detects an alias or * referral loop, and is unable to satisfy the client's request. Applicable * operations: all. Result code type: Specific (Service) */ LOOP_DETECT( 54, "loopDetect" ), // ------------------------------------------------------------------------ // Attribute Problem Specific Error Codes: // // An attribute error reports a problem related to an attribute specified // by the client in their request message. // ------------------------------------------------------------------------ /** * This error may be returned if the attribute specified as an argument of * the operation does not exist in the entry. Applicable operations: Modify, * Compare. Result code type: Specific (Attribute) */ NO_SUCH_ATTRIBUTE( 16, "noSuchAttribute" ), /** * This error may be returned if the specified attribute is unrecognized by * the server, since it is not present in the server's defined schema. If * the server doesn't recognize an attribute specified in a search request * as the attribute to be returned the server should not return an error in * this case - it should just return values for the requested attributes it * does recognize. Note that this result code only applies to the Add and * Modify operations [X.511, Section 12.4]. Applicable operations: Modify, * Add. Result code type: Specific (Attribute) */ UNDEFINED_ATTRIBUTE_TYPE( 17, "undefinedAttributeType" ), /** * An attempt was made, e.g., in a filter, to use a matching rule not * defined for the attribute type concerned [X511, Section 12.4]. Applicable * operations: Search. Result code type: Specific (Attribute) */ INAPPROPRIATE_MATCHING( 18, "inappropriateMatching" ), /** * This error should be returned by the server if an attribute value * specified by the client violates the constraints placed on the attribute * as it was defined in the DSA - this may be a size constraint or a * constraint on the content. Applicable operations: Modify, Add, ModifyDN. * Result code type: Specific (Attribute) */ CONSTRAINT_VIOLATION( 19, "constraintViolation" ), /** * This error should be returned by the server if the value specified by the * client already exists within the attribute. Applicable operations: * Modify, Add. Result code type: Specific (Attribute) */ ATTRIBUTE_OR_VALUE_EXISTS( 20, "attributeOrValueExists" ), /** * This error should be returned by the server if the attribute syntax for * the attribute value, specified as an argument of the operation, is * unrecognized or invalid. Applicable operations: Modify, Add. Result code * type: Specific (Attribute) */ INVALID_ATTRIBUTE_SYNTAX( 21, "invalidAttributeSyntax" ), // ------------------------------------------------------------------------ // Name Problem Specific Error Codes: // // A name error reports a problem related to the distinguished name // provided as an argument to an operation [X511, Section 12.5]. // // For result codes of NO_SUCH_OBJECT, aliasProblem, invalidDNSyntax and // aliasDereferencingProblem (see Section 5.2.2.3.7), the matchedDN // field is set to the name of the lowest entry (object or alias) in the // directory that was matched. If no aliases were dereferenced while // attempting to locate the entry, this will be a truncated form of the // name provided, or if aliases were dereferenced, of the resulting // name, as defined in section 12.5 of X.511 [X511]. The matchedDN field // is to be set to a zero length string with all other result codes // [RFC2251, Section 4.1.10]. // ------------------------------------------------------------------------ /** * This error should only be returned if the target object cannot be found. * For example, in a search operation if the search base can not be located * in the DSA the server should return NO_SUCH_OBJECT. If, however, the search * base is found but does not match the search filter, success, with no * resultant objects, should be returned instead of NO_SUCH_OBJECT. If the * LDAP server is a front end for an X.500 DSA then NO_SUCH_OBJECT may also be * returned if discloseOnError is not granted for an entry and the client * does not have permission to view or modify the entry. Applicable * operations: all except for Bind. Result code type: Specific (Name) */ NO_SUCH_OBJECT( 32, "NO_SUCH_OBJECT" ), /** * An alias has been dereferenced which names no object [X511, Section 12.5] * Applicable operations: Search. Result code type: Specific (Name) */ ALIAS_PROBLEM( 33, "aliasProblem" ), /** * This error should be returned by the server if the Dn syntax is * incorrect. It should not be returned if the Dn is correctly formed but * represents an entry which is not permitted by the structure rules at the * DSA ; in this case namingViolation should be returned instead. Applicable * operations: all. Result code type: Specific (Name) */ INVALID_DN_SYNTAX( 34, "invalidDNSyntax" ), // ------------------------------------------------------------------------ // Update Problem Specific Error Codes: // // An update error reports problems related to attempts to add, delete, or // modify information in the DIB [X511, Section 12.9]. // ------------------------------------------------------------------------ /** * The attempted addition or modification would violate the structure rules * of the DIT as defined in the directory schema and X.501. That is, it * would place an entry as the subordinate of an alias entry, or in a region * of the DIT not permitted to a member of its object class, or would define * an Rdn for an entry to include a forbidden attribute type [X511, Section * 12.9]. Applicable operations: Add, ModifyDN. Result code type: Specific * (Update) */ NAMING_VIOLATION( 64, "namingViolation" ), /** * This error should be returned if the operation requested by the user * would violate the objectClass requirements for the entry if carried out. * On an add or modify operation this would result from trying to add an * object class without a required attribute, or by trying to add an * attribute which is not permitted by the current object class set in the * entry. On a modify operation this may result from trying to remove a * required attribute without removing the associated auxiliary object * class, or by attempting to remove an object class while the attributes it * permits are still present. Applicable operations: Add, Modify, ModifyDN. * Result code type: Specific (Update) */ OBJECT_CLASS_VIOLATION( 65, "objectClassViolation" ), /** * This error should be returned if the client attempts to perform an * operation which is permitted only on leaf entries - e.g., if the client * attempts to delete a non-leaf entry. If the directory does not permit * ModifyDN for non-leaf entries then this error may be returned if the * client attempts to change the Dn of a non-leaf entry. (Note that 1988 * edition X.500 servers only permitted change of the Rdn of an entry's Dn * [X.511, Section 11.4.1]). Applicable operations: Delete, ModifyDN. Result * code type: Specific (Update) */ NOT_ALLOWED_ON_NON_LEAF( 66, "notAllowedOnNonLeaf" ), /** * The attempted operation would affect the Rdn (e.g., removal of an * attribute which is a part of the Rdn) [X511, Section 12.9]. If the client * attempts to remove from an entry any of its distinguished values, those * values which form the entry's relative distinguished name the server * should return the error notAllowedOnRDN. [RFC2251, Section 4.6] * Applicable operations: Modify. Result code type: Specific (Update) */ NOT_ALLOWED_ON_RDN( 67, "notAllowedOnRDN" ), /** * This error should be returned by the server when the client attempts to * add an entry which already exists, or if the client attempts to rename an * entry with the name of an entry which exists. Applicable operations: Add, * ModifyDN. Result code type: Specific (Update) */ ENTRY_ALREADY_EXISTS( 68, "entryAlreadyExists" ), /** * An operation attempted to modify an object class that should not be * modified, e.g., the structural object class of an entry. Some servers may * not permit object class modifications, especially modifications to the * structural object class since this may change the entry entirely, name * forms, structure rules etc. [X.511, Section 12.9]. Applicable operations: * Modify. Result code type: Specific (Update) */ OBJECT_CLASS_MODS_PROHIBITED( 69, "objectClassModsProhibited" ), /** * This error code should be returned to indicate that the operation could * not be performed since it affects more than one DSA. This error code is * new for LDAPv3. X.500 restricts the ModifyDN operation to only affect * entries that are contained within a single server. If the LDAP server is * mapped onto DAP, then this restriction will apply, and the resultCode * affectsMultipleDSAs will be returned if this error occurred. In general * clients MUST NOT expect to be able to perform arbitrary movements of * entries and subtrees between servers [RFC2251, Section 4.9]. Applicable * operations: ModifyDN. Result code type: Specific (Update) */ AFFECTS_MULTIPLE_DSAS( 71, "affectsMultipleDSAs" ), // ------------------------------------------------------------------------ // General Error Codes: // // A general error code typically specifies an error condition for which // there is no suitable specific error code. If the server can return an // error, which is more specific than the following general errors, then // the specific error should be returned instead. // ------------------------------------------------------------------------ /** * This error code should be returned only if no other error code is * suitable. Use of this error code should be avoided if possible. Details * of the error should be provided in the error message. Applicable * operations: all. Result code type: General */ OTHER( 80, "other" ), /** * This error code is returned when an operation has been canceled using * the Cancel extended operation. */ CANCELED( 118, "canceled" ), /** * This error code is returned if the server has no knowledge of * the operation requested for cancelation. */ NO_SUCH_OPERATION( 119, "noSuchOperation" ), /** * The tooLate resultCode is returned to indicate that it is too late to * cancel the outstanding operation. For example, the server may return * tooLate for a request to cancel an outstanding modify operation which * has already committed updates to the underlying data store. */ TOO_LATE( 120, "tooLate" ), /** * The cannotCancel resultCode is returned if the identified operation * does not support cancelation or the cancel operation could not be * performed. The following classes of operations are not cancelable: * * - operations which have no response, * * - operations which create, alter, or destroy authentication and/or * authorization associations, * * - operations which establish, alter, or tear-down security services, * and * * - operations which abandon or cancel other operations. */ CANNOT_CANCEL( 121, "cannotCancel" ), /** * The server may return this result code on the initial content poll * if it is safe to do so when it is unable to perform the operation * due to various reasons. For more detailed explanation refer * <a href="http://www.faqs.org/rfcs/rfc4533.html">RFC 4533 (a.k.a syncrepl)</a> */ E_SYNC_REFRESH_REQUIRED( 4096, "eSyncRefreshRequired" ), /** * A unknown result code to cover all the other cases */ // -- 15 unused -- // -- 22-31 unused -- // -- 35 reserved for undefined isLeaf -- // -- 37-47 unused -- // -- 55-63 unused -- // -- 70 reserved for CLDAP -- // -- 72-79 unused -- // -- 81-90 reserved for APIs -- UNKNOWN( 122, "unknown" );
  • No labels