CA Directory: LDAP Error message description

Document ID : KB000102376
Last Modified Date : 18/06/2018
Show Technical Document Details
Question:
You may wonder what various Operation Errors in various DSA log mean.
e.g.
"RESULT error security 2" 
"RESULT error name 1" 
"RESULT error abandoned" 
"RESULT error update 5" 
"RESULT error attribute 1" 
"RESULT error service 8" 
"RESULT error abandon 3" 
"RESULT error service 3" 
 
Answer:
Operation Error Summary:

Note: The following errors, explanations and examples are taken from the X.511 standards. Not all the errors are possible with CA Directory and many of the examples are not applicable. Over time this will be modified to indicate the supported messages and relevant examples. Also, wherever you see DIT below, it is in reference to Directory Information Tree.

The operation error summary contains the error category possibly followed by an error problem number.

The possible error categories that may be returned are:
  • Abandoned
  • Abandon Failed
  • Attribute Error
  • Name Error
  • Referral
  • Security Error
  • Service Error
  • Update Error

Abandoned:
This outcome may be reported for any outstanding directory enquiry operation (i.e. Read, Search, Compare, List) if the DUA invokes an Abandon operation with the appropriate InvokeId.

Abandon Failed:
The abandon failed error reports a problem encountered during an attempt to abandon an operation.

Any of the following problems may be indicated:
(1) No Such OperationWhen the Directory has no knowledge of the operation which is to be abandoned (this could be because no such invoke took place, or because the Directory has forgotten about it)
(2) Too LateWhen the Directory has already responded to the operation
(3) Cannot AbandonWhen an attempt has been made to abandon an operation for which this is prohibited (e.g. modify), or the abandon could not be performed


Attribute Error:
An attribute error reports an attribute-related problem.

One or more problems may be specified. Each problem (identified below) is accompanied by an indication of the attribute type, and, if necessary to avoid ambiguity, the value, which caused the problem:
(1) No Such Attribute Or ValueThe named entry lacks one of the attributes or attribute values specified as an argument of the operation
(2) Invalid Attribute SyntaxA purported attribute value, specified as an argument of the operation, does not conform to the attribute syntax of the attribute type
(3) Undefined Attribute TypeAn undefined attribute type was provided as an argument to the operation. This error may occur only in relation to addEntry or modifyEntry operations
(4) Inappropriate MatchingAn attempt was made, e.g. in a filter, to use a matching rule not defined for the attribute type concerned
(5) Constraint ViolationAn attribute value supplied in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2 or by the attribute definition (e.g. the value exceeds the maximum size allowed)
(6) Attribute Or Value Already ExistsAn attempt was made to add an attribute which already existed in the entry, or a value which already existed in the attribute
(7) Context ViolationA context list or context supplied with an attribute value in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2, by the context definition (e.g. the context value is not of the correct syntax), or the DIT Context Use

Name Error:
A name error reports a problem related to the name provided as an argument to an operation.

The particular problem encountered. Any of the following problems may be indicated:
(1) No Such ObjectThe name supplied does not match the name of any object
(2) Alias ProblemAn alias has been dereferenced which names no object
(3) Invalid Attribute SyntaxAn attribute type and its accompanying attribute value in an AVA in the name are incompatible
(4) Alias Dereferencing ProblemAn alias was encountered in a situation where it was not allowed or where access was denied
(5) Context ProblemA context type or value used in a name is not understood or is invalid, the use of a context variant name is not acceptable, or during name resolution a purported name matches the names of more than one DIT entry


Referral:
A referral redirects the service-user to one or more access points better equipped to carry out the requested operation.

Security Error:
A security error reports a problem in carrying out an operation for security reasons.

The following problems may be indicated:
(1) Inappropriate AuthenticationThe level of security associated with the requestor's credentials is inconsistent with the level of protection requested, e.g. simple credentials were supplied while strong credentials were required
(2) Invalid CredentialsThe supplied credentials were invalid
(3) Insufficient Access RightsThe requestor does not have the right to carry out the requested operation
(4) Invalid SignatureThe signature of the request was found to be invalid
(5) Protection RequiredThe Directory was unwilling to carry out the requested operation because the argument was not signed
(6) No InformationThe requested operation produced a security error for which no information is available
(7) Blocked CredentialsThe credentials are blocked from consideration for security reasons (e.g. because an invalid password has been presented too many times in succession). The decision to return this error is governed by the security policy in effect for the DSA
(8) Invalid QOP MatchThe two entities have differing protection parameters defined for the respective security services
(9) Spkm ErrorThe supplied SPKM token was found to be invalid. The spkmInfo parameter contains an indication that this is an SPKM error token and the identifier of the SPKM context with which this error is associated


Service Error:
A serviceError reports a problem related to the provision of the service.

The following problems may be indicated:
(1) BusyThe Directory, or some part of it, is presently too busy to perform the requested operation, but may be able to do so after a short while
(2) UnavailableThe Directory, or some part of it, is currently unavailable
(3) Unwilling To PerformThe Directory, or some part of it, is not prepared to execute this request, e.g. because it would lead to excessive consumption of resources or violates the policy of an Administrative Authority involved
(4) Chaining RequiredThe Directory is unable to accomplish the request other than by chaining; however, chaining was prohibited by means of the chainingProhibited service control option
(5) Unable To ProceedThe DSA returning this error did not have administrative authority for the appropriate naming context and as a consequence was not able to participate in name resolution
(6) Invalid ReferenceThe DSA was unable to perform the request as directed by the DUA, (via OperationProgress) This may have arisen due to using an invalid referral
(7) Time Limit ExceededThe Directory has reached the limit of time set by the user in a service control. No partial results are available to return to the user
(8) Administrative Limit ExceededThe Directory has reached some limit set by an administrative authority, and no partial results are available to return to the user
(9) Loop DetectedThe Directory is unable to accomplish this request due to an internal loop
(10) Unavailable Critical ExtensionThe Directory was unable to satisfy the request because one or more critical extensions were not available
(11) Out Of ScopeNo referrals were available within the requested scope
(12) Dit ErrorThe Directory is unable to accomplish the request due to a DIT consistency problem
(13) Invalid Query ReferenceThe parameters of the requested operation are invalid. This problem is reported if the queryReference in paged results is invalid
(14) Requested Service Not AvailableA search request failed within a service specific administrative area because no search-rule was available for the search or because the search violated an applicable search-rule
(15) Unsupported Matching UseAn attempt was made, e.g. in a filter, to use a matching rule not supported by the DSA when the performExactly search option is set
(16) Ambiguous Key AttributesA mapping-based matching rule was selected, but the mappable filter items provided multiple matches against the relevant mapping table. This error situation is accompanied by a notification attribute as indicated by the relevant matching-based matching rule
.

Update Error:
An updateError reports problems related to attempts to add, delete, or modify information in the DIT.

The following problems may be indicated:
(1) Naming ViolationThe attempted addition or modification would violate the structure rules of the DIT as defined in the Directory schema and ITU-T Rec. X.501 ISO/IEC 9594-2. That is, it would place an entry as the subordinate of an alias entry, or in a region of the DIT not permitted to a member of its object class, or would define an RDN for an entry to include a forbidden attribute type
(2) Object Class ViolationThe attempted update would produce an entry inconsistent with the rules for entry content; for example, its object class definition, the DIT content rules, or with the definitions of ITU-T Rec. X.501 ISO/IEC 9594-2 as they pertain to object classes
(3) Not Allowed On Non LeafThe attempted operation is only allowed on leaf entries of the DIT
(4) Not Allowed On RDNThe attempted operation would affect the RDN (e.g. removal of an attribute which is a part of the RDN)
(5) Entry Already ExistsAn attempted addEntry or modifyDN operation names an entry which already exists
(6) Affects Multiple DSAsAn attempted update would need to operate on multiple DSAs where this operation is not permitted
(7) Object Class Modification ProhibitedAn operation attempted to modify the structural object class of an entry
(8) No Such SuperiorAn attempted modifyDN operation names a new superior entry that does not exist
(9) Not AncestorAn operation attempted to delete a compound entry without specifying the ancestor as the object
(10) Parent Not AncestorAn operation attempted to establish an entry as an immediately hierarchical child under a family member that is not the ancestor
(11) Hierarchy Rule ViolationAn operation attempted to break a rule applicable to a hierarchical group: a hierarchical group has to be completely outside any service specific administrative area or has to be completely contained within a service specific administrative area; hierarchical group is confined to a single DSA
(12) Family Rule ViolationAn operation attempted to break a rule applicable to families within a compound entry