LDAP常见错误码

基于Linux命令行,软件为OpenLDAP;

  • 插入语句:ldapadd -x -h localhost -p 6005 -w password -D cn=linuxUserName -v -f fileName.ldif
  • 查询语句:ldapsearch -x -LLL -h localhost -p 6005 -w password -D cn=linuxUserName -b dc=dcValue "(|(select condition ex.attribte=?))" "attributeList to show(separate witch sapce)"
  • 删除数据:ldapdelete -x -h localhost -p 6005 -w password -D cn=linuxUserName 'dn的值'

1)ldapadd: Object class violation (65)
失败原因:插入的属性(Attribute),没有指明对象(Object Class)。
解决方案:添加objectclass: class名,这样的属性行;

2)ldapadd: Constraint violation (19)
additional info: Another entry with the same attribute value already exist
失败原因:插入的属性,某些属性(主键)的值,和其他结点的属性重复了。
解决方案:查找配置管理表(Directory Schema),在约束条件(Constraint)中,将唯一(Unique)的值,进行更改。

3)ldapadd: Already exists (68)
失败原因:目录中(Directory)已经存在一样的数据了。
解决方案:无需再次添加

4)ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
失败原因:没有指定验证方式(authentication method);
解决方案:命令行添加-x参数;

LDAP常见错误码

LDAP_SUCCESS = 0 //成功

LDAP_OPERATIONS_ERROR = 1 //操作错误

LDAP_PROTOCOL_ERROR = 2 //协议错误

LDAP_TIME_LIMIT_EXCEEDED = 3 //超过最大时间限制

LDAP_SIZE_LIMIT_EXCEEDED = 4 //超过最大返回条目数

LDAP_COMPARE_FALSE = 5 //比较不匹配

LDAP_COMPARE_TRUE = 6 //比较匹配

LDAP_AUTH_METHOD_NOT_SUPPORTED = 7 //认证方法未被支持

LDAP_STRONG_AUTH_REQUIRED = 8 //需要强认证

LDAP_PARTIAL_RESULTS = 9 //null

LDAP_REFERRAL = 10 //Referral

LDAP_ADMIN_LIMIT_EXCEEDED = 11 //超出管理员权限

LDAP_UNAVAILABLE_CRITICAL_EXTENSION = 12 //Critical扩展无效

LDAP_CONFIDENTIALITY_REQUIRED = 13 //需要Confidentiality

LDAP_SASL_BIND_IN_PROGRESS = 14 //需要SASL绑定

LDAP_NO_SUCH_ATTRIBUTE = 16 //未找到该属性

LDAP_UNDEFINED_ATTRIBUTE_TYPE = 17 //未定义的属性类型

LDAP_INAPPROPRIATE_MATCHING = 18 //不适当的匹配

LDAP_CONSTRAINT_VIOLATION = 19 //约束冲突

LDAP_ATTRIBUTE_OR_value_EXISTS = 20 //属性或值已存在

LDAP_INVALID_ATTRIBUTE_SYNTAX = 21 //无效的属性语法

LDAP_NO_SUCH_OBJECT = 32 //未找到该对象

LDAP_ALIAS_PROBLEM = 33 //别名有问题

LDAP_INVALID_DN_SYNTAX = 34 //无效的DN语法

LDAP_IS_LEAF = 35 //null

LDAP_ALIAS_DEREFERENCING_PROBLEM = 36 //Dereference别名有问题

LDAP_INAPPROPRIATE_AUTHENTICATION = 48 //不适当的认证

LDAP_INVALID_CREDENTIALS = 49 //无效的Credential

LDAP_INSUFFICIENT_ACCESS_RIGHTS = 50 //访问权限不够

LDAP_BUSY = 51 //遇忙

LDAP_UNAVAILABLE = 52 //无效

LDAP_UNWILLING_TO_PERform = 53 //意外问题

LDAP_LOOP_DETECT = 54 //发现死循环

LDAP_NAMING_VIOLATION = 64 //命名冲突

LDAP_OBJECT_CLASS_VIOLATION = 65 //对象类冲突

LDAP_NOT_ALLOWED_ON_NON_LEAF = 66 //不允许在非叶结点执行此操作

LDAP_NOT_ALLOWED_ON_RDN = 67 //不允许对RDN执行此操作

LDAP_ENTRY_ALREADY_EXISTS = 68 //Entry已存在

LDAP_OBJECT_CLASS_MODS_PROHIBITED = 69 //禁止更改对象类

LDAP_AFFECTS_MULTIPLE_DSAS = 71 //null

LDAP_OTHER = 80 //其它

再来一份十六进制的,大家对照吧。

下面是winldap.h文件中的定义的十六进制错误码,我给其中的绝大部分加上了从活动目录的书上看的汉语说明,。

typedef enum

Unknown macro: {

LDAP_SUCCESS = 0x00,//操作成功

LDAP_OPERATIONS_ERROR = 0x01,//一个未指定的错误发生在处理LDAP请求的服务器上

LDAP_PROTOCOL_ERROR = 0x02,//服务器接受到一个没有正确格式化或顺序出错的包

LDAP_TIMELIMIT_EXCEEDED = 0x03,//操作上指定的时间限制被超出。这不同于服务器没有及时响应时的客户方检测到的超时错误

LDAP_SIZELIMIT_EXCEEDED = 0x04,//搜索返回的项数超过了管理限制或请求限制

LDAP_COMPARE_FALSE = 0x05,//LDAP比较函数(例如ldap_compare())返回FALSE

LDAP_COMPARE_TRUE = 0x06,//LDAP比较函数(例如ldap_compare())返回TRUE

LDAP_AUTH_METHOD_NOT_SUPPORTED = 0x07,//绑定(bind)操作中(例如ldap_bind())请求的认证方法不被服务器支持。如果你使用一个非微软LDAP客户与活动目录通信,这种情况可能发生

LDAP_STRONG_AUTH_REQUIRED = 0x08,//服务器要求一个字符串认证方法而不是一个简单口令

LDAP_REFERRAL_V2 = 0x09,//搜索结果包含LDAPv2引用或者一个部分结果集

LDAP_PARTIAL_RESULTS = 0x09,

LDAP_REFERRAL = 0x0a,//请求操作必须由另一个拥有适当的命名上下文备份的服务器处理

LDAP_ADMIN_LIMIT_EXCEEDED = 0x0b,//管理限制被超出。例如,搜索操作花费的时间超出了服务器所允许的最大时间

LDAP_UNAVAILABLE_CRIT_EXTENSION = 0x0c,//客户请求一个LDAP扩展并且指示该扩展是关键的,但是服务器并不支持扩展

LDAP_CONFIDENTIALITY_REQUIRED = 0x0d,//操作要求某种级别的加密

LDAP_SASL_BIND_IN_PROGRESS = 0x0e,//当一个SASL绑定(bind)已经在客户处理过程中时,请求一个绑定(bind)操作

LDAP_NO_SUCH_ATTRIBUTE = 0x10,//客户尝试修改或者删除一个并不存在的项的一个属性

LDAP_UNDEFINED_TYPE = 0x11,//未定义的类型

LDAP_INAPPROPRIATE_MATCHING = 0x12,//提供的匹配规则对搜索不合适或者对于属性不合适

LDAP_CONSTRAINT_VIOLATION = 0x13,//客户请求一个将违背目录中语义约束的操作。一个经常的原因是不合适的改变了模式--例如当添加一个新类时提供了一个重复的OID(对象识别符)

LDAP_ATTRIBUTE_OR_value_EXISTS = 0x14,//客户尝试添加一个已经存在的属性或值

LDAP_INVALID_SYNTAX = 0x15,//搜索过滤器的语法无效

LDAP_NO_SUCH_OBJECT = 0x20,//客户尝试或者删除一个在目录中并不存在的项

LDAP_ALIAS_PROBLEM = 0x21,//服务器在处理别名时遇到了一个错误

LDAP_INVALID_DN_SYNTAX = 0x22,//请求中指定的可区别名字的格式无效

LDAP_IS_LEAF = 0x23,//函数中指定的项是目录树中的一个叶子项

LDAP_ALIAS_DEREF_PROBLEM = 0x24,//在解除对一个别名的引用时服务器遇到了一个错误。例如,目的项并不存在

LDAP_INAPPROPRIATE_AUTH = 0x30,//认证级别对于操作不足

LDAP_INVALID_CREDENTIALS = 0x31,//绑定(bind)请求中提供的证书是无效的--例如一个无效的口令

LDAP_INSUFFICIENT_RIGHTS = 0x32,//没有执行该操作所需的足够的访问权限

LDAP_BUSY = 0x33,//服务器太忙碌而无法服务该请求。稍后重新尝试

LDAP_UNAVAILABLE = 0x34,//目录服务暂不可用。稍后重新尝试

LDAP_UNWILLING_TO_PERform = 0x35,//由于管理策略约束方面的原因,服务器将不支持该操作--例如,如果在模式修改没有被允许或者没有连接到模式管理器的情况下,试图修改该模式

LDAP_LOOP_DETECT = 0x36,//在追踪引用的过程中,客户引用到它以前已经引用的服务器

LDAP_SORT_CONTROL_MISSING = 0x3C,

LDAP_OFFSET_RANGE_ERROR = 0x3D,

LDAP_NAMING_VIOLATION = 0x40,//客户指定了一个不正确的对象的可区别名字

LDAP_OBJECT_CLASS_VIOLATION = 0x41,//操作违背了类定义中定义的语义规则

LDAP_NOT_ALLOWED_ON_NONLEAF = 0x42,//所请求的操作只可能在一个叶子对象(非容器)上执行

LDAP_NOT_ALLOWED_ON_RDN = 0x43,//在相对可区别名字上不允许该操作

LDAP_ALREADY_EXISTS = 0x44,//客户试图添加一个已经存在的对象

LDAP_NO_OBJECT_CLASS_MODS = 0x45,//客户试图通过改变一个对象的objectClass属性来修改对象的类

LDAP_RESULTS_TOO_LARGE = 0x46,//搜索操作的结果集太大,服务器无法处理

LDAP_AFFECTS_MULTIPLE_DSAS = 0x47,//所请求的操作将影响多个DSA--例如,在一个子树包含一个下级引用,该引用指向另一个命名上下文的情况下,删除该子树将影响多个DSA(目录服务器代理)

LDAP_VIRTUAL_LIST_VIEW_ERROR = 0x4c,

LDAP_OTHER = 0x50,//发生了一些其他的LDAP错误

LDAP_SERVER_DOWN = 0x51,//LDAP服务器已关闭

LDAP_LOCAL_ERROR = 0x52,//客户发生了其他一些未指定的错误

LDAP_ENCODING_ERROR = 0x53,//在将一个LDAP请求编码为ASN.1的过程中发生了一个错误

LDAP_DECODING_ERROR = 0x54,//从服务器接受到的ASN.1编码的数据是无效的

LDAP_TIMEOUT = 0x55,//在指定的时间内服务器不能响应客户

LDAP_AUTH_UNKNOWN = 0x56,//在绑定(bind)请求中指定了一种未知的认证机制

LDAP_FILTER_ERROR = 0x57,//搜索过滤器出现了某种错误

LDAP_USER_CANCELLED = 0x58,//用户取消了操作

LDAP_PARAM_ERROR = 0x59,//函数中指定的某个参数出现了错误。例如,向一个LDAP API函数传递一个NULL指针,但该函数并不希望这样,在这种情况下就产生该错误

LDAP_NO_MEMORY = 0x5a,//客户试图分配内存并且失败了

LDAP_CONNECT_ERROR = 0x5b,//客户试图向服务器建立一个TCP连接并且失败了

LDAP_NOT_SUPPORTED = 0x5c,//所请求的操作不被这种版本的LDAP协议所支持

LDAP_NO_RESULTS_RETURNED = 0x5e,//从服务器接受到一个响应,但是它没有包含结果

LDAP_CONTROL_NOT_FOUND = 0x5d,//从服务器接受到的数据表明有一个LDAP控制出现但是在数据中没有找到一个LDAP控制

LDAP_MORE_RESULTS_TO_RETURN = 0x5f,//因为有太多的结果,所以客户无法检索

LDAP_CLIENT_LOOP = 0x60,//在处理引用时客户检测到一个循环

引用数目超过了限制

LDAP_REFERRAL_LIMIT_EXCEEDED = 0x61//客户追踪的

}

LDAP_RETCODE;
Hex Decimal Constant: Description
0x00 0 LDAP_SUCCESS: Indicates the requested client operation completed successfully. 成功,没什么好说的了。
0x01 1 LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is unable to respond with a more specific error and is also unable to properly respond to a request. It does not indicate that the client has sent an erroneous message. 一个内部错误。Server无法正确的 respond一个request,也无法生成说明错误类型的 respond。它不代表client发送了错误的消息。 In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors. In NDS 8.3x through NDS 7.xx, 这是一个没有映射到 LDAP错误码的NDS缺省错误。为了符合新的LDAP草案,NDS 8.5使用80 (0x50)?代表这个错误。
0x02 2 LDAP_PROTOCOL_ERROR: Indicates that the server has received an invalid or malformed request from the client.Server从 client收到了一个无效的或者格式不正确的request。
0x03 3 LDAP_TIMELIMIT_EXCEEDED: Indicates that the operation's time limit specified by either the client or the server has been exceeded. On search operations, incomplete results are returned. 超出了 Server或者Client指定的时间限制。当进行 serach的时候,返回不完全的结果。
0x04 4 LDAP_SIZELIMIT_EXCEEDED: Indicates that in a search operation, the size limit specified by the client or the server has been exceeded. Incomplete results are returned. 在查询的时候,超出了Server或者 Client指定的size限制。返回不完全的结果。
0x05 5 LDAP_COMPARE_FALSE: Does not indicate an error condition. Indicates that the results of a compare operation are false. 不是错误状态。表示比较操作的结果是 false。
0x06 6 LDAP_COMPARE_TRUE: Does not indicate an error condition. Indicates that the results of a compare operation are true. 不是错误状态。表示比较操作的结果是 true。
0x07 7 LDAP_AUTH_METHOD_NOT_SUPPORTED: Indicates that during a bind operation the client requested an authentication method not supported by the LDAP server. 当进行bind操作时, client指定的认证方式不被LDAP Server支持。
0x08 8 LDAP_STRONG_AUTH_REQUIRED: Indicates one of the following: In bind requests, the LDAP server accepts only strong authentication. In a client request, the client requested an operation such as delete that requires strong authentication. In an unsolicited notice of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised. 代表下列情况之一:当bind请求,LDAP server只接受strong authentication。Client要求执行delete等需要 strong authentication的操作。看不懂,大致是说当没有通知的断开连接,Server发现安全的通信在server?和client之间失败了,或者妥协了。
0x09 9 Reserved.保留的
0x0A 10 LDAP_REFERRAL: Does not indicate an error condition. In LDAPv3, indicates that the server does not hold the target entry of the request, but that the servers in the referral field may.不是错误状态。在LDAPv3中,代表Server无法得到请求的Entry目标,但是可以介绍一个可能得到的域(field)。
0x0B 11 LDAP_ADMINLIMIT_EXCEEDED: Indicates that an LDAP server limit set by an administrative authority has been exceeded.LDAP Server?的被权限管理指定的有限集合被超出。
0x0C 12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION: Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type. LDAP Server不支持的request,因为一个或者多个重要的扩展是不允许的。Server不支持的Control或者Control对于操作是不恰当的。
0x0D 13 LDAP_CONFIDENTIALITY_REQUIRED: Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality. Session没有被诸如Transport Layer Security (TLS)?之类的协议保护,无法提供Session机密性。
0x0E 14 LDAP_SASL_BIND_IN_PROGRESS: Does not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL mechanism to continue the process. 不是错误状态,代表Server已经为 process的下一步做好了准备。Client必须发送相同的 SASL给Server以继续process。
0x0F 15 Not used. 未使用。
0x10 16 LDAP_NO_SUCH_ATTRIBUTE: Indicates that the attribute specified in the modify or compare operation does not exist in the entry. 在modify或者 compare操作中指定的属性,在指定Entry中不存在。
0x11 17 LDAP_UNDEFINED_TYPE: Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema. 在modify或者 add操作中指定的属性,在LDAP Server的 Schema中不存在。
0x12 18 LDAP_INAPPROPRIATE_MATCHING: Indicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax. 在Search Filter中指定的 rule不能和syntax中的rule定义匹配。
0x13 19 LDAP_CONSTRAINT_VIOLATION: Indicates that the attribute value specified in a modify, add, or modify DN operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary). 在modify、 add或者modify DN?操作中指定的属性值,触犯了属性中的限制。那些限制是内容长度或者内容只能是String,不能是binary等。
0x14 20 LDAP_TYPE_OR_VALUE_EXISTS: Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute. 在modify或者 add操作中指定的属性值,在属性中已经存在了。
0x15 21 LDAP_INVALID_SYNTAX: Indicates that the attribute value specified in an add, compare, or modify operation is an unrecognized or invalid syntax for the attribute. 在add、 compare或者modify操作中指定的属性值,是不认识或者无效的 syntax。
- 22-31 Not used. 未使用。
0x20 32 LDAP_NO_SUCH_OBJECT : Indicates the target object cannot be found. This code is not returned on following operations: Search operations that find the search base but cannot find any entries that match the search filter. Bind operations. 无法找到目标Object。在以下操作中不返回这个代码:Search操作中没有找到任何匹配serach filter的entry。Bind操作。
0x21 33 LDAP_ALIAS_PROBLEM: Indicates that an error occurred when an alias was dereferenced. 当一个别名被复引用时发生错误。
0x22 34 LDAP_INVALID_DN_SYNTAX: Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns LDAP_UNWILLING_TO_PERFORM.)DN的句法不对。(如果DN句法正确,但是LDAP Server的结构规则不许可这个操作,Server返回LDAP_UNWILLING_TO_PERFORM。 )
0x23 35 LDAP_IS_LEAF: Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.) 指定的操作不能被实施于一个叶子Entry上。(?这个错误码不在当前的LDAP规范中,但是这个常数为此而保留。 )
0x24 36 LDAP_ALIAS_DEREF_PROBLEM: Indicates that during a search operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed. 在search操作中, client无权读别名了的 对象名或者间接引用是不被许可的。
- 37-47 Not used. 未使用。
0x30 48 LDAP_INAPPROPRIATE_AUTH: Indicates that during a bind operation, the client is attempting to use an authentication method that the client cannot use correctly. For example, either of the following cause this error: The client returns simple credentials when strong credentials are required. The client returns a DN and a password for a simple bind when the entry does not have a password defined. 当bind操作过程中, client试图使用不正确的认证方式。例如,以下情况造成这个error:Client返回简单认证当需要strong credentials的时候。Client返回 DN和密码为了简单认证,但是 entry没有定义密码。
0x31 49 LDAP_INVALID_CREDENTIALS: Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password. The password is incorrect because it has expired, intruder detection has locked the account, or some other similar reason. 当bind操作过程中发生以下情况:Client传送不正确的DN或者 password。密码不正确,因为它过期了,入侵检测锁住了帐号,或者其他类似原因。
0x32 50 LDAP_INSUFFICIENT_ACCESS: Indicates that the caller does not have sufficient rights to perform the requested operation. 调用者没有足够的权限执行请求的操作。
0x33 51 LDAP_BUSY: Indicates that the LDAP server is too busy to process the client request at this time but if the client waits and resubmits the request, the server may be able to process it then. LDAP Server太忙以至于无法处理client的请求,但是如果client等待然后重新提交请求,Server可能会处理。
0x34 52 LDAP_UNAVAILABLE: Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down. LDAP Server不能处理client的bind请求,通常是因为它down机了。
0x35 53 LDAP_UNWILLING_TO_PERFORM: Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons: The add entry request violates the server's structure rules. The modify attribute request specifies attributes that users cannot modify. Password restrictions prevent the action. Connection restrictions prevent the action. LDAP Server不能处理request,因为Server定义的限制。这个错误在以下原因下发生:1、加Entry的request违反server的结构规则 2、改变属性request指定了不允许用户修改的属性 3、密码限制 4、连接限制
0x36 54 LDAP_LOOP_DETECT: Indicates that the client discovered an alias or referral loop, and is thus unable to complete this request. client发现一个别名或者引用是循环的,导致这个request无法完成。
- 55-63 Not used. 未使用。
0x40 64 LDAP_NAMING_VIOLATION: Indicates that the add or modify DN operation violates the schema's structure rules. For example, The request places the entry subordinate to an alias. The request places the entry subordinate to a container that is forbidden by the containment rules. The RDN for the entry uses a forbidden attribute type. 在 add或者 modify DN操作中违反Schema的结构规则。例如:1、请求放置entry在别名下 2、请求放置entry在被包含规则禁止的容器中 3、Entry的RDN使用了禁止的属性类型
0x41 65 LDAP_OBJECT_CLASS_VIO LATION: Indicates that the add, modify, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error: The add or modify operation tries to add an entry without a value for a required attribute. The add?or modify operation tries to add an entry with a value for an attribute which the class definition does not contain. The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute as required. 在 add、modify或者modify DN操作中违反 entry的object class规则。例如,下面类型的request导致这个错误:1、在 add或者modify操作中试图加一个没有必须属性值的entry。2、在 add或者modify操作中试图加一个有class?定义中没有的值的entry。3、在 modify操作中试图删除必须属性而没有删除定义这个属性为必须的那个辅助类。
0x42 66 LDAP_NOT_ALLOWED_ON_NONLEAF: Indicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error: The client requests a delete operation on a parent entry. The client request a modify DN operation on a parent entry. 请求的操作只允许在叶子entry上执行。例如下面类型的 request导致这个错误:1、Client请求删除操作在父entry上。2、Client请求改变DN在父entry上。
0x43 67 LDAP_NOT_ALLOWED_ON_RDN: Indicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name. modify操作试图删除关联着DN的属性值。
0x44 68 LDAP_ALREADY_EXISTS: Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists. add操作试图加一个已经存在的Entry,或者modify操作试图重命名Entry为一个已经存在的entry的名字。
0x45 69 LDAP_NO_OBJECT_CLASS_MODS: Indicates that the modify operation attempted to modify the structure rules of an object class. modify操作试图改变object class的结构规则。
0x46 70 LDAP_RESULTS_TOO_LARGE: Reserved for CLDAP. 为CLDAP保留。
0x47 71 LDAP_AFFECTS_MULTIPLE_DSAS: Indicates that the modify DN operation moves the entry from one LDAP server to another and thus requires more than one LDAP server. modify DN的操作移动Entry从一个LDAP Server到另一个,造成需要超过一个LDAP Server。
- 72-79 Not used. 未使用
0x50 80 LDAP_OTHER: Indicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes. 一个未知的error状态。这是 NDS中没有映射到其他LDAP错误码上的错误码的缺省值。

你可能感兴趣的:(LDAP常见错误码)