Ошибка ldap 82 0x52 локальная ошибка - Решение и исправление самых разных ошибок на TopOshibok.ru

I have 3 domain controllers in an 2008 AD environment. Some days ago i found that 1 was corrupt and caused some problems.
This server is the first server in the domain and holds certificate service + DFS registrations. All servers are running on VMware. I decided to restore de server from an old backup (12 months old). The restored server is fine but is off course outdated and
needs to be synchronized with the two existing.

First I cleaned up a little in DNS with the following procedure:

renamed the system32confignetlogon.dns and netlogon.dnb files
ipconfig /registerdns
net stop netlogon
net start netlogon

That eliminated the first error I had with replication. “The target principal name is
incorrect” Next was to remove lingerine objects using: repadmin /removelingeringobjects RESTORED_SERVER1.DOMAIN.COM 83feb989-46eb-4c0b-9c6f-bae9ec24542c «dc=DOMAIN, dc=COM»

Then I tried to do the following:

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

Repadmin can’t connect to a «home server», because of the following error.
Try specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

So I tried the same 3 commands on the RESTORED domain controller.

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8451 (0x2103):

The replication operation encountered a database error.

Any help would be appreciated

First I cleaned up a little in DNS with the following procedure:

renamed the system32confignetlogon.dns and netlogon.dnb files
ipconfig /registerdns
net stop netlogon
net start netlogon

Then I tried to do the following:

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

Repadmin can’t connect to a «home server», because of the following error.
Try specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

So I tried the same 3 commands on the RESTORED domain controller.

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8451 (0x2103):

The replication operation encountered a database error.

Any help would be appreciated

Содержание

Глава 12. Ошибки и устранение неисправностей LDAP
Стандартные сообщения об ошибках LDAP
Журналы OpenLDAP

Глава 12. Ошибки и устранение неисправностей LDAP

Иногда OpenLDAP подвергается критике за скудность сообщений об ошибках и слабую диагностику. Отчасти это связано с генеральной линией стандартизации сообщений об ошибках, ограничивающей возможности реализаций служб каталогов по выдаче более информативных и творческих сообщений (справедливости ради стоит отметить, что в стандартах предусмотрено наличие в сообщении текстового элемента для более точного освещения проблемы), отчасти с тем, что многие сообщения об ошибках выводятся через клиентские программы, которые могут делать серьёзные искажения исходных диагностических сообщений.

Лучший источник диагностической информации — журналы OpenLDAP необходимого уровня (безусловно, наиболее полный из которых loglevel -1).

Ниже мы приводим некоторые сведения о том, как правильно читать журналы OpenLDAP, а также стандартные сообщения об ошибках LDAP с некоторыми подсказками о том, в чём может заключаться причина ошибки.

Данные сообщения об ошибках определены в разделе 4.1.9 RFC 4511, черновом RFC LDAP C API (датированным 2000-м годом), а также выяснены путём изучения заголовочного файла LDAPResult.h дистрибутива OpenLDAP.

Название ошибки	Номер	Пояснения/причины
LDAP_SUCCESS	0 (x’00)	Успешное завершение запроса.
LDAP_OPERATIONS_ERROR	1 (x’01)	Произошла ошибка операции.
LDAP_PROTOCOL_ERROR	2 (x’02)	Обнаружено нарушение протокола.
LDAP_TIMELIMIT_EXCEEDED	3 (x’03)	Превышено ограничение по времени LDAP.
LDAP_SIZELIMIT_EXCEEDED	4 (x’04)	Превышено ограничение по размеру LDAP.
LDAP_COMPARE_FALSE	5 (x’05)	Операция сравнения вернула «ложь».
LDAP_COMPARE_TRUE	6 (x’06)	Операция сравнения вернула «истину».
LDAP_STRONG_AUTH_NOT_SUPPORTED	7 (x’07)	Сервер LDAP не поддерживает строгую аутентификацию.
LDAP_STRONG_AUTH_REQUIRED	8 (x’08)	Для данной операции требуется прохождение строгой аутентификации.
LDAP_PARTIAL_RESULTS	9 (x’09)	Возвращены только частичные результаты.
LDAP_REFERRAL	10 (x’0A)	Указывает, что в ответе присутствует отсылка LDAP. Данное сообщение будет содержать один или несколько LDAP URL, по которым клиент должен перенаправить последующие операции для получения данного DN.
LDAP_ADMINLIMIT_EXCEEDED	11 (x’0B)	Указывает на то, что какие-либо ограничения, установленные на стороне сервера на количество записей, возвращаемое при поиске, были превышены.
LDAP_UNAVAILABLE_CRITICAL_EXTENSION	12 (x’0C)	Указывает на то, что элемент управления или правило соответствия, запрашиваемые в операции, не поддерживаются данным сервером.
LDAP_CONFIDENTIALITY_REQUIRED	13 (x’0D)	Конфигурация данного сервера требует обеспечения какой-либо формы конфиденциальности (TLS/SSL или SASL) при выполнении подсоединения с предоставляемым DN, например, определённая на глобальном уровне или в разделе database директива security может требовать соблюдения некоторой формы SSF при выполнении simple_bind или операции обновления.
LDAP_SASL_BIND_IN_PROGRESS	14 (x’0E)	Данный сервер в настоящий момент выполняет SASL-подсоединение и в этом контексте запрашиваемая операция является неверной.
15 (x’0F)	Не используется.
LDAP_NO_SUCH_ATTRIBUTE	16 (x’10)	Указанный в запросе атрибут не присутствует в записи.
LDAP_UNDEFINED_TYPE	17 (x’11)	Указанный в запросе тип атрибута был неверным.
LDAP_INAPPROPRIATE_MATCHING	18 (x’12)	Указывает на то, что правило соответствия с расширяемым фильтром соответствия не поддерживается для указываемого типа атрибута.
LDAP_CONSTRAINT_VIOLATION	19 (x’13)	Указываемое в операции значение атрибута нарушает некоторые ограничения. Возможные причины: 1. Строка слишком большой длины. 2. Неверный тип — строка записывается в числовой атрибут. 3. Неправильное значение, например, атрибут может принимать только определённое значение, либо одно из набора значений.
LDAP_TYPE_OR_VALUE_EXISTS	20 (x’14)	Указываемый тип атрибута или значение атрибута уже присутствует в записи. Возможные причины: 1. При добавлении записи — один или несколько атрибутов в LDIF (или операции добавления/замены) для записи в точности совпадают (дублируются).
LDAP_INVALID_SYNTAX	21 (x’15)	Было указано неверное значение атрибута.
22 — 31	(x’16 — x’1F). Не используются.
LDAP_NO_SUCH_OBJECT	32 (x’20)	Указанная запись не существует в каталоге (DIT).
LDAP_ALIAS_PROBLEM	33 (x’21)	Псевдоним в DIT указывает на несуществующую запись.
LDAP_INVALID_DN_SYNTAX	34 (x’22)	Был указан синтаксически неверный DN. Может также возникнуть, если Вы используете файл в формате LDIF (dn: cn=xxx и т.д.) с утилитой ldapdelete, которой требуется только указание простого DN.
35 (x’23)	Зарезервировано и не используется в LDAPv3 (LDAPv2: LDAP_IS_LEAF — указанный объект является листовым, то есть у него нет дочерних объектов).
LDAP_ALIAS_DEREF_PROBLEM	36 (x’24)	Возникла проблема при разыменовании псевдонима. Смотрите также описание ошибки 33.
37 — 47	(x’25 — x’2F). Не используются.
LDAP_INAPPROPRIATE_AUTH	48 (x’30)	Была указана проверка подлинности, которую невозможно осуществить, например, была указана LDAP_AUTH_SIMPLE, а у записи нет атрибута userPassword.
LDAP_INVALID_CREDENTIALS	49 (x’31)	Были предоставлены неверные учётные данные, например, неправильный пароль. Дополнительный текст: unable to get TLS Client DN (невозможно получить DN клиента TLS). Возможные причины: 1. Не предоставлен сертификат клиента в случае, если директива TLSVerifyClient установлена в ‘demand’. 2. Не предоставлен сертификат клиента в случае, если директива TLSVerifyClient установлена в ‘never’. В этом случае данное сообщение об ошибке не является фатальным и обслуживание клиента продолжается.
LDAP_INSUFFICIENT_ACCESS	50 (x’32)	У данного пользователя недостаточно прав доступа на осуществление запрашиваемой операции.
LDAP_BUSY	51 (x’33)	Данный сервер (DSA) слишком занят, чтобы выполнить запрашиваемую операцию.
LDAP_UNAVAILABLE	52 (x’34)	DSA недоступен. Он может быть, например, остановлен, поставлен на паузу или находится в процессе инициализации.
LDAP_UNWILLING_TO_PERFORM	53 (x’35)	Данный сервер (DSA) не желает выполнять запрашиваемую операцию. Дополнительный текст: no global superior knowledge (нет сведений о глобальном вышестоящем каталоге) — имя записи, которую собираются добавить или модифицировать, не находится ни в одном из контекстов именования и у сервера нет правильной отсылки на вышестоящий каталог. Возможная причина: не задан атрибут olcSuffix (директива suffix в slapd.conf) для DIT, на которое идёт ссылка. Дополнительный текст: Shadow context; no update referral (теневой контекст (реплика); отсылки для выполнения обновлений не указано) — DIT, в которое собираются вносить изменения, является репликой в режиме «только для чтения», и, из-за отсутствия директивы updateref, невозможно возвратить отсылку. Возможные причины: 1. Была попытка произвести запись в реплику «только для чтения» (в конфигурации syncrepl потребитель всегда в режиме «только для чтения»). 2. В конфигурации syncrepl multi-master в файле slapd.conf возможно пропущена директива mirrormode true. 3. Если slapd при запуске использовал файл slapd.conf, а директория slapd.d (cn=config) также существует, то при последующих модификациях DIT могут возникать ошибки с выдачей этого сообщения. В частности, в FreeBSD требуется наличие явного указания в rc.conf (slapd_cn_config=»YES») для принудительного использования slapd.d.
LDAP_LOOP_DETECT	54 (x’36)	Выявлено зацикливание.
54 — 59	(x’37 — x’3B). Не используются.
LDAP_SORT_CONTROL_MISSING	60 (x’3C)	В стандартах не используется. Только для Sun LDAP Directory Server. Сервер не получил требуемый элемент управления сортировки на стороне сервера.
LDAP_RANGE_INDEX_ERROR	61 (x’3D)	В стандартах не используется. Только для Sun LDAP Directory Server. Результаты запроса превысили диапазон, указанный в запросе.
62 — 63	(x’3E — x’3F). Не используются.
LDAP_NAMING_VIOLATION	64 (x’40)	Указывает на то, что данный запрос содержит нарушение именования в отношении текущего DIT.
LDAP_OBJECT_CLASS_VIOLATION	65 (x’41)	Произошло нарушение объектного класса при использовании текущего набора схемы данных, например, при добавлении записи был пропущен обязательный (must) атрибут.
LDAP_NOT_ALLOWED_ON_NONLEAF	66 (x’42)	Операция на нелистовой записи (то есть той, у которой есть дочерние записи) не разрешается.
LDAP_NOT_ALLOWED_ON_RDN	67 (x’43)	Операция над RDN, например, удаление атрибута, использующегося в качестве RDN в DN, не разрешается.
LDAP_ALREADY_EXISTS	68 (x’44)	Данная запись уже существует в этом DIT.
LDAP_NO_OBJECT_CLASS_MODS	69 (x’45)	Не разрешена модификация объектного класса.
LDAP_RESULTS_TOO_LARGE	70 (x’46)	Только C API (черновой RFC). Результаты слишком велики и не могут содержаться в данном сообщении.
LDAP_AFFECTS_MULTIPLE_DSAS	71 (x’47)	Указывает на то, что операцию необходимо выполнить на нескольких серверах (DSA), а это не разрешено.
72 — 79	(x’48 — x’4F). Не используются.
LDAP_OTHER	80 (x’50)	Произошла неизвестная ошибка. Возможная причина: Попытка удаления атрибута (особенно в cn=config), удаление которого запрещено. Дополнительный текст: olcDbDirectory: value #0: invalid path: No such file or directory Возможная причина: перед инициализацией новой базы данных директория для её размещения должна существовать.
LDAP_SERVER_DOWN	81 (x’51)	Только C API (черновой RFC). Библиотека LDAP не может связаться с LDAP-сервером.
LDAP_LOCAL_ERROR	82 (x’52)	Только C API (черновой RFC). Произошла некоторая локальная ошибка. Обычно это неудачная попытка выделения динамической памяти.
LDAP_ENCODING_ERROR	83 (x’53)	Только C API (черновой RFC). Произошла ошибка при кодировании параметров, отправляемых на LDAP-сервер.
LDAP_DECODING_ERROR	84 (x’54)	Только C API (черновой RFC). Произошла ошибка при декодировании результатов, полученных от LDAP-сервера.
LDAP_TIMEOUT	85 (x’55)	Только C API (черновой RFC). При ожидании результатов было превышено ограничение по времени.
LDAP_AUTH_UNKNOWN	86 (x’56)	Только C API (черновой RFC). В ldap_bind() был указан неизвестный метод аутентификации.
LDAP_FILTER_ERROR	87 (x’57)	Только C API (черновой RFC). Операции ldap_search() был предоставлен неправильный фильтр (например, количество открывающихся и закрывающихся скобок в фильтре не совпадает).
LDAP_USER_CANCELLED	88 (x’58)	Только C API (черновой RFC). Указывает на то, что пользователь прервал запрошенную операцию.
LDAP_PARAM_ERROR	89 (x’59)	Только C API (черновой RFC). Процедура ldap была вызвана с неверными параметрами.
LDAP_NO_MEMORY	90 (x’5A)	Только C API (черновой RFC). Выделение памяти (например, с помощью malloc(3) или другого механизма динамического выделения памяти) вызвало сбой в процедуре из библиотеки ldap.
LDAP_CONNECT_ERROR	91 (x’5B)	Только C API (черновой RFC). Библиотека/клиент не может соединиться с LDAP-сервером, указанным в URL.
LDAP_NOT_SUPPORTED	92 (x’5C)	Только C API (черновой RFC). Указывает на то, что в запросе используется функция, не поддерживаемая данным сервером.
LDAP_CONTROL_NOT_FOUND	93 (x’5D)	Только C API (черновой RFC). Запрашиваемый элемент управления не найден на данном сервере.
LDAP_NO_RESULTS_RETURNED	94 (x’5E)	Только C API (черновой RFC). Запрашиваемая операция завершилась успешно, но никаких результатов возвращено (получено) не было.
LDAP_MORE_RESULTS_TO_RETURN	95 (x’5F)	Только C API (черновой RFC). Запрашиваемая операция завершилась успешно, но должны быть возвращены дополнительные результаты, которые можно уместить в текущее сообщение.
LDAP_CLIENT_LOOP	96 (x’60)	Только C API (черновой RFC). Клиент выявил зацикливание, например, при следовании по отсылкам.
LDAP_REFERRAL_LIMIT_EXCEEDED	97 (x’61)	Только C API (черновой RFC). Сервер или клиент превысил какое-либо установленное ограничение при следовании по отсылкам.

Журналы OpenLDAP

В данном разделе показаны журналы OpenLDAP с нашими пояснениями. Строки, начинающиеся с # — комментарии, добавленные в целях пояснения, в нормальных журналах (логах) их не будет.

Проблемы, комментарии, предположения, исправления (включая битые ссылки) или есть что добавить? Пожалуйста, выкроите время в потоке занятой жизни, чтобы написать нам, вебмастеру или в службу поддержки. Оставшийся день Вы проведёте с чувством удовлетворения.

Источник

Мы уже несколько дней боремся со странной ошибкой ldap. Следующий код отлично работал более года. Вдруг он возвращает local error (0x52) для нескольких CN пользователей.

Соответствующий код (подключение и привязка работают всегда, только поиск не выполняется для некоторых пользовательских CN):

$ldapconn = ldap_connect("LDAP URL")
    or die("Connection failed.");

ldap_bind($ldapconn, 'USERNAME', 'PASSWORD')
    or die("Binding failed");

$ldapsearch = ldap_search($ldapconn, '', '(&(uniqueMember=CN=FIRSTNAME LASTNAME,O=COMPANY)(objectClass=groupOfNames))')
    or die("Search failed: ".ldap_error($ldapconn));

Странно то, что этот код работает для большинства пользователей, но для некоторых — нет.

Так например:

$ldapsearch = ldap_search($ldapconn, '', '(&(uniqueMember=CN=FIRSTNAME_1 LASTNAME_1,O=COMPANY)(objectClass=groupOfNames))')
    -> works

$ldapsearch = ldap_search($ldapconn, '', '(&(uniqueMember=CN=FIRSTNAME_2 LASTNAME_2,O=COMPANY)(objectClass=groupOfNames))')
    -> fails

Но оба CN определенно существуют (в браузере softterra ldap работают обе команды поиска, также в Lotus Notes оба пользователя кажутся идентичными, только с некоторыми клиентами ldap и кодом php он не работает).

Мы также нашли на этой странице следующее заявление от ibm:
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/apis/ldap_error_condt.htm

0x52 — Some local error occurred. This usually indicates that either the LDAP support (IBM® i option 32) is not installed on the system, or a malloc() operation has failed

Поддержка Ldap установлена, и мы не знаем, где могла быть ошибка выделения памяти.

Если вам нужна дополнительная информация, дайте мне знать.

Любая помощь приветствуется

ОБНОВИТЬ:

Мы попробовали выполнить поиск в CentOS с помощью cli и получили ту же локальную ошибку (так что это не проблема php ldap, скорее, проблема с сервером домино Notes):

ldapsearch -D "USERNAME" -w PASSWORD -h LDAP_URL -b "" -s sub "(&(uniqueMember=CN=FIRSTNAME LASTNAME,O=COMPANY)(objectClass=groupOfNames))"
    -> ldap_result: Local error (-2)

Ошибка возникает всегда для одних и тех же пользователей. CN пользователей, в которых возникает проблема, не содержат специальных символов или аналогичных символов и не содержат двойных букв или фамилий.

First I cleaned up a little in DNS with the following procedure:

renamed the system32confignetlogon.dns and netlogon.dnb files
ipconfig /registerdns
net stop netlogon
net start netlogon

Then I tried to do the following:

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

Repadmin can’t connect to a «home server», because of the following error.
Try specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

So I tried the same 3 commands on the RESTORED domain controller.

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8451 (0x2103):

The replication operation encountered a database error.

Any help would be appreciated

Название ошибки
Номер
Пояснения/причины

LDAP_SUCCESS
0 (x’00)
Успешное завершение запроса.

LDAP_OPERATIONS_ERROR
1 (x’01)
Произошла ошибка операции.

LDAP_PROTOCOL_ERROR
2 (x’02)
Обнаружено нарушение протокола.

LDAP_TIMELIMIT_EXCEEDED
3 (x’03)
Превышено ограничение по времени LDAP.

LDAP_SIZELIMIT_EXCEEDED
4 (x’04)
Превышено ограничение по размеру LDAP.

LDAP_COMPARE_FALSE
5 (x’05)
Операция сравнения вернула «ложь».

LDAP_COMPARE_TRUE
6 (x’06)
Операция сравнения вернула «истину».

LDAP_STRONG_AUTH_NOT_SUPPORTED
7 (x’07)
Сервер LDAP не поддерживает строгую аутентификацию.

LDAP_STRONG_AUTH_REQUIRED
8 (x’08)
Для данной операции требуется прохождение строгой аутентификации.

LDAP_PARTIAL_RESULTS
9 (x’09)
Возвращены только частичные результаты.

LDAP_REFERRAL
10 (x’0A)
Указывает, что в ответе присутствует отсылка LDAP. Данное сообщение будет содержать один или несколько LDAP URL, по которым клиент должен перенаправить последующие операции для получения данного DN.

LDAP_ADMINLIMIT_EXCEEDED
11 (x’0B)
Указывает на то, что какие-либо ограничения, установленные на стороне сервера на количество записей, возвращаемое при поиске, были превышены.

LDAP_UNAVAILABLE_CRITICAL_EXTENSION
12 (x’0C)
Указывает на то, что элемент управления или правило соответствия, запрашиваемые в операции, не поддерживаются данным сервером.

LDAP_CONFIDENTIALITY_REQUIRED
13 (x’0D)
Конфигурация данного сервера требует обеспечения какой-либо формы конфиденциальности (TLS/SSL или SASL) при выполнении подсоединения с предоставляемым DN, например, определённая на глобальном уровне или в разделе database директива security может требовать соблюдения некоторой формы SSF при выполнении simple_bind или операции обновления.

LDAP_SASL_BIND_IN_PROGRESS
14 (x’0E)
Данный сервер в настоящий момент выполняет SASL-подсоединение и в этом контексте запрашиваемая операция является неверной.

15 (x’0F)
Не используется.

LDAP_NO_SUCH_ATTRIBUTE
16 (x’10)
Указанный в запросе атрибут не присутствует в записи.

LDAP_UNDEFINED_TYPE
17 (x’11)
Указанный в запросе тип атрибута был неверным.

LDAP_INAPPROPRIATE_MATCHING
18 (x’12)
Указывает на то, что правило соответствия с расширяемым фильтром соответствия не поддерживается для указываемого типа атрибута.

LDAP_CONSTRAINT_VIOLATION
19 (x’13)
Указываемое в операции значение атрибута нарушает некоторые ограничения.
Возможные причины:
1. Строка слишком большой длины.
2. Неверный тип — строка записывается в числовой атрибут.
3. Неправильное значение, например, атрибут может принимать только определённое значение, либо одно из набора значений.

LDAP_TYPE_OR_VALUE_EXISTS
20 (x’14)
Указываемый тип атрибута или значение атрибута уже присутствует в записи.
Возможные причины:
1. При добавлении записи — один или несколько атрибутов в LDIF (или операции добавления/замены) для записи в точности совпадают (дублируются).

LDAP_INVALID_SYNTAX
21 (x’15)
Было указано неверное значение атрибута.

22 — 31
(x’16 — x’1F). Не используются.

LDAP_NO_SUCH_OBJECT
32 (x’20)
Указанная запись не существует в каталоге (DIT).

LDAP_ALIAS_PROBLEM
33 (x’21)
Псевдоним в DIT указывает на несуществующую запись.

LDAP_INVALID_DN_SYNTAX
34 (x’22)
Был указан синтаксически неверный DN. Может также возникнуть, если Вы используете файл в формате LDIF (dn: cn=xxx и т.д.) с утилитой ldapdelete, которой требуется только указание простого DN.

35 (x’23)
Зарезервировано и не используется в LDAPv3 (LDAPv2: LDAP_IS_LEAF — указанный объект является листовым, то есть у него нет дочерних объектов).

LDAP_ALIAS_DEREF_PROBLEM
36 (x’24)
Возникла проблема при разыменовании псевдонима. Смотрите также описание ошибки 33.

37 — 47
(x’25 — x’2F). Не используются.

LDAP_INAPPROPRIATE_AUTH
48 (x’30)
Была указана проверка подлинности, которую невозможно осуществить, например, была указана LDAP_AUTH_SIMPLE, а у записи нет атрибута userPassword.

LDAP_INVALID_CREDENTIALS
49 (x’31)
Были предоставлены неверные учётные данные, например, неправильный пароль.
Дополнительный текст: unable to get TLS Client DN (невозможно получить DN клиента TLS).
Возможные причины:
1. Не предоставлен сертификат клиента в случае, если директива TLSVerifyClient установлена в ‘demand’.
2. Не предоставлен сертификат клиента в случае, если директива TLSVerifyClient установлена в ‘never’. В этом случае данное сообщение об ошибке не является фатальным и обслуживание клиента продолжается.

LDAP_INSUFFICIENT_ACCESS
50 (x’32)
У данного пользователя недостаточно прав доступа на осуществление запрашиваемой операции.

LDAP_BUSY
51 (x’33)
Данный сервер (DSA) слишком занят, чтобы выполнить запрашиваемую операцию.

LDAP_UNAVAILABLE
52 (x’34)
DSA недоступен. Он может быть, например, остановлен, поставлен на паузу или находится в процессе инициализации.

LDAP_UNWILLING_TO_PERFORM
53 (x’35)
Данный сервер (DSA) не желает выполнять запрашиваемую операцию.
Дополнительный текст: no global superior knowledge (нет сведений о глобальном вышестоящем каталоге) — имя записи, которую собираются добавить или модифицировать, не находится ни в одном из контекстов именования и у сервера нет правильной отсылки на вышестоящий каталог.
Возможная причина: не задан атрибут olcSuffix (директива suffix в slapd.conf) для DIT, на которое идёт ссылка.
Дополнительный текст: Shadow context; no update referral (теневой контекст (реплика); отсылки для выполнения обновлений не указано) — DIT, в которое собираются вносить изменения, является репликой в режиме «только для чтения», и, из-за отсутствия директивы updateref, невозможно возвратить отсылку.
Возможные причины:
1. Была попытка произвести запись в реплику «только для чтения» (в конфигурации syncrepl потребитель всегда в режиме «только для чтения»).
2. В конфигурации syncrepl multi-master в файле slapd.conf возможно пропущена директива mirrormode true.
3. Если slapd при запуске использовал файл slapd.conf, а директория slapd.d (cn=config) также существует, то при последующих модификациях DIT могут возникать ошибки с выдачей этого сообщения. В частности, в FreeBSD требуется наличие явного указания в rc.conf (slapd_cn_config=»YES») для принудительного использования slapd.d.

LDAP_LOOP_DETECT
54 (x’36)
Выявлено зацикливание.

54 — 59
(x’37 — x’3B). Не используются.

LDAP_SORT_CONTROL_MISSING
60 (x’3C)
В стандартах не используется. Только для Sun LDAP Directory Server. Сервер не получил требуемый элемент управления сортировки на стороне сервера.

LDAP_RANGE_INDEX_ERROR
61 (x’3D)
В стандартах не используется. Только для Sun LDAP Directory Server. Результаты запроса превысили диапазон, указанный в запросе.

62 — 63
(x’3E — x’3F). Не используются.

LDAP_NAMING_VIOLATION
64 (x’40)
Указывает на то, что данный запрос содержит нарушение именования в отношении текущего DIT.

LDAP_OBJECT_CLASS_VIOLATION
65 (x’41)
Произошло нарушение объектного класса при использовании текущего набора схемы данных, например, при добавлении записи был пропущен обязательный (must) атрибут.

LDAP_NOT_ALLOWED_ON_NONLEAF
66 (x’42)
Операция на нелистовой записи (то есть той, у которой есть дочерние записи) не разрешается.

LDAP_NOT_ALLOWED_ON_RDN
67 (x’43)
Операция над RDN, например, удаление атрибута, использующегося в качестве RDN в DN, не разрешается.

LDAP_ALREADY_EXISTS
68 (x’44)
Данная запись уже существует в этом DIT.

LDAP_NO_OBJECT_CLASS_MODS
69 (x’45)
Не разрешена модификация объектного класса.

LDAP_RESULTS_TOO_LARGE
70 (x’46)
Только C API (черновой RFC). Результаты слишком велики и не могут содержаться в данном сообщении.

LDAP_AFFECTS_MULTIPLE_DSAS
71 (x’47)
Указывает на то, что операцию необходимо выполнить на нескольких серверах (DSA), а это не разрешено.

72 — 79
(x’48 — x’4F). Не используются.

LDAP_OTHER
80 (x’50)
Произошла неизвестная ошибка.
Возможная причина:
Попытка удаления атрибута (особенно в cn=config), удаление которого запрещено.
Дополнительный текст: olcDbDirectory: value #0: invalid path: No such file or directory
Возможная причина: перед инициализацией новой базы данных директория для её размещения должна существовать.

LDAP_SERVER_DOWN
81 (x’51)
Только C API (черновой RFC). Библиотека LDAP не может связаться с LDAP-сервером.

LDAP_LOCAL_ERROR
82 (x’52)
Только C API (черновой RFC). Произошла некоторая локальная ошибка. Обычно это неудачная попытка выделения динамической памяти.

LDAP_ENCODING_ERROR
83 (x’53)
Только C API (черновой RFC). Произошла ошибка при кодировании параметров, отправляемых на LDAP-сервер.

LDAP_DECODING_ERROR
84 (x’54)
Только C API (черновой RFC). Произошла ошибка при декодировании результатов, полученных от LDAP-сервера.

LDAP_TIMEOUT
85 (x’55)
Только C API (черновой RFC). При ожидании результатов было превышено ограничение по времени.

LDAP_AUTH_UNKNOWN
86 (x’56)
Только C API (черновой RFC). В ldap_bind() был указан неизвестный метод аутентификации.

LDAP_FILTER_ERROR
87 (x’57)
Только C API (черновой RFC). Операции ldap_search() был предоставлен неправильный фильтр (например, количество открывающихся и закрывающихся скобок в фильтре не совпадает).

LDAP_USER_CANCELLED
88 (x’58)
Только C API (черновой RFC). Указывает на то, что пользователь прервал запрошенную операцию.

LDAP_PARAM_ERROR
89 (x’59)
Только C API (черновой RFC). Процедура ldap была вызвана с неверными параметрами.

LDAP_NO_MEMORY
90 (x’5A)
Только C API (черновой RFC). Выделение памяти (например, с помощью malloc(3) или другого механизма динамического выделения памяти) вызвало сбой в процедуре из библиотеки ldap.

LDAP_CONNECT_ERROR
91 (x’5B)
Только C API (черновой RFC). Библиотека/клиент не может соединиться с LDAP-сервером, указанным в URL.

LDAP_NOT_SUPPORTED
92 (x’5C)
Только C API (черновой RFC). Указывает на то, что в запросе используется функция, не поддерживаемая данным сервером.

LDAP_CONTROL_NOT_FOUND
93 (x’5D)
Только C API (черновой RFC). Запрашиваемый элемент управления не найден на данном сервере.

LDAP_NO_RESULTS_RETURNED
94 (x’5E)
Только C API (черновой RFC). Запрашиваемая операция завершилась успешно, но никаких результатов возвращено (получено) не было.

LDAP_MORE_RESULTS_TO_RETURN
95 (x’5F)
Только C API (черновой RFC). Запрашиваемая операция завершилась успешно, но должны быть возвращены дополнительные результаты, которые можно уместить в текущее сообщение.

LDAP_CLIENT_LOOP
96 (x’60)
Только C API (черновой RFC). Клиент выявил зацикливание, например, при следовании по отсылкам.

LDAP_REFERRAL_LIMIT_EXCEEDED
97 (x’61)
Только C API (черновой RFC). Сервер или клиент превысил какое-либо установленное ограничение при следовании по отсылкам.

This section lists some of the result codes that can be returned by functions in the LDAP C SDK. For ease of use, they are first listed in numerical order, then in alphabetical order.

LDAP result codes are extensible; thus, LDAP v3 extensions may define their own error codes, and register them with the Internet Assigned Numbers Authority (IANA). The IANA maintains a list of registered LDAP parameters, including result codes. This list includes what LDAP C SDK currently knows in terms of result codes. More information can be found in RFC 4520, Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP).

1 Result Codes Summary in Numerical Order
2 Result Codes Reference in Alphabetical Order
- 2.1 LDAP_ADMINLIMIT_EXCEEDED
- 2.2 LDAP_AFFECTS_MULTIPLE_DSAS
- 2.3 LDAP_ALIAS_DEREF_PROBLEM
- 2.4 LDAP_ALIAS_PROBLEM
- 2.5 LDAP_ALREADY_EXISTS
- 2.6 LDAP_AUTH_UNKNOWN
- 2.7 LDAP_BUSY
- 2.8 LDAP_CLIENT_LOOP
- 2.9 LDAP_COMPARE_FALSE
- 2.10 LDAP_COMPARE_TRUE
- 2.11 LDAP_CONFIDENTIALITY_REQUIRED
- 2.12 LDAP_CONNECT_ERROR
- 2.13 LDAP_CONSTRAINT_VIOLATION
- 2.14 LDAP_CONTROL_NOT_FOUND
- 2.15 LDAP_DECODING_ERROR
- 2.16 LDAP_ENCODING_ERROR
- 2.17 LDAP_FILTER_ERROR
- 2.18 LDAP_INAPPROPRIATE_AUTH
- 2.19 LDAP_INAPPROPRIATE_MATCHING
- 2.20 LDAP_INDEX_RANGE_ERROR
- 2.21 LDAP_INSUFFICIENT_ACCESS
- 2.22 LDAP_INVALID_CREDENTIALS
- 2.23 LDAP_INVALID_DN_SYNTAX
- 2.24 LDAP_INVALID_SYNTAX
- 2.25 LDAP_IS_LEAF
- 2.26 LDAP_LOCAL_ERROR
- 2.27 LDAP_LOOP_DETECT
- 2.28 LDAP_MORE_RESULTS_TO_RETURN
- 2.29 LDAP_NAMING_VIOLATION
- 2.30 LDAP_NO_MEMORY
- 2.31 LDAP_NO_OBJECT_CLASS_MODS
- 2.32 LDAP_NO_RESULTS_RETURNED
- 2.33 LDAP_NO_SUCH_ATTRIBUTE
- 2.34 LDAP_NO_SUCH_OBJECT
- 2.35 LDAP_NOT_ALLOWED_ON_NONLEAF
- 2.36 LDAP_NOT_ALLOWED_ON_RDN
- 2.37 LDAP_NOT_SUPPORTED
- 2.38 LDAP_OBJECT_CLASS_VIOLATION
- 2.39 LDAP_OPERATIONS_ERROR
- 2.40 LDAP_OTHER
- 2.41 LDAP_PARAM_ERROR
- 2.42 LDAP_PARTIAL_RESULTS
- 2.43 LDAP_PROTOCOL_ERROR
- 2.44 LDAP_REFERRAL
- 2.45 LDAP_REFERRAL_LIMIT_EXCEEDED
- 2.46 LDAP_RESULTS_TOO_LARGE
- 2.47 LDAP_SASL_BIND_IN_PROGRESS
- 2.48 LDAP_SERVER_DOWN
- 2.49 LDAP_SIZELIMIT_EXCEEDED
- 2.50 LDAP_SORT_CONTROL_MISSING
- 2.51 LDAP_STRONG_AUTH_NOT_SUPPORTED
- 2.52 LDAP_STRONG_AUTH_REQUIRED
- 2.53 LDAP_SUCCESS
- 2.54 LDAP_TIMELIMIT_EXCEEDED
- 2.55 LDAP_TIMEOUT
- 2.56 LDAP_TYPE_OR_VALUE_EXISTS
- 2.57 LDAP_UNAVAILABLE
- 2.58 LDAP_UNAVAILABLE_CRITICAL_EXTENSION
- 2.59 LDAP_UNDEFINED_TYPE
- 2.60 LDAP_UNWILLING_TO_PERFORM
- 2.61 LDAP_USER_CANCELLED

Result Codes Summary in Numerical Order

The following table gives the decimal and hexadecimal value of all result codes. Values missing from the sequence are not assigned to a result code.

Numerical Listing of Result Codes

Decimal	Hexadecimal	Defined Name
0	0x00	LDAP_SUCCESS
1	0x01	LDAP_OPERATIONS_ERROR
2	0x02	LDAP_PROTOCOL_ERROR
3	0x03	LDAP_TIMELIMIT_EXCEEDED
4	0x04	LDAP_SIZELIMIT_EXCEEDED
5	0x05	LDAP_COMPARE_FALSE
6	0x06	LDAP_COMPARE_TRUE
7	0x07	LDAP_STRONG_AUTH_NOT_SUPPORTED
8	0x08	LDAP_STRONG_AUTH_REQUIRED
9	0x09	LDAP_PARTIAL_RESULTS
10	0x0a	LDAP_REFERRAL
11	0x0b	LDAP_ADMINLIMIT_EXCEEDED
12	0x0c	LDAP_UNAVAILABLE_CRITICAL_EXTENSION
13	0x0d	LDAP_CONFIDENTIALITY_REQUIRED
14	0x0e	LDAP_SASL_BIND_IN_PROGRESS

16	0x10	LDAP_NO_SUCH_ATTRIBUTE
17	0x11	LDAP_UNDEFINED_TYPE
18	0x12	LDAP_INAPPROPRIATE_MATCHING
19	0x13	LDAP_CONSTRAINT_VIOLATION
20	0x14	LDAP_TYPE_OR_VALUE_EXISTS
21	0x15	LDAP_INVALID_SYNTAX

32	0x20	LDAP_NO_SUCH_OBJECT
33	0x21	LDAP_ALIAS_PROBLEM
34	0x22	LDAP_INVALID_DN_SYNTAX
35	0x23	LDAP_IS_LEAF
36	0x24	LDAP_ALIAS_DEREF_PROBLEM

48	0x30	LDAP_INAPPROPRIATE_AUTH
49	0x31	LDAP_INVALID_CREDENTIALS
50	0x32	LDAP_INSUFFICIENT_ACCESS
51	0x33	LDAP_BUSY
52	0x34	LDAP_UNAVAILABLE
53	0x35	LDAP_UNWILLING_TO_PERFORM
54	0x36	LDAP_LOOP_DETECT

60	0x3C	LDAP_SORT_CONTROL_MISSING
61	0x3D	LDAP_INDEX_RANGE_ERROR

64	0x40	LDAP_NAMING_VIOLATION
65	0x41	LDAP_OBJECT_CLASS_VIOLATION
66	0x42	LDAP_NOT_ALLOWED_ON_NONLEAF
67	0x43	LDAP_NOT_ALLOWED_ON_RDN
68	0x44	LDAP_ALREADY_EXISTS
69	0x45	LDAP_NO_OBJECT_CLASS_MODS
70	0x46	LDAP_RESULTS_TOO_LARGE
71	0x47	LDAP_AFFECTS_MULTIPLE_DSAS

80	0x50	LDAP_OTHER
81	0x51	LDAP_SERVER_DOWN
82	0x52	LDAP_LOCAL_ERROR
83	0x53	LDAP_ENCODING_ERROR
84	0x54	LDAP_DECODING_ERROR
85	0x55	LDAP_TIMEOUT
86	0x56	LDAP_AUTH_UNKNOWN
87	0x57	LDAP_FILTER_ERROR
88	0x58	LDAP_USER_CANCELLED
89	0x59	LDAP_PARAM_ERROR
90	0x5a	LDAP_NO_MEMORY
91	0x5b	LDAP_CONNECT_ERROR
92	0x5c	LDAP_NOT_SUPPORTED
93	0x5d	LDAP_CONTROL_NOT_FOUND
94	0x5e	LDAP_NO_RESULTS_RETURNED
95	0x5f	LDAP_MORE_RESULTS_TO_RETURN
96	0x60	LDAP_CLIENT_LOOP
97	0x61	LDAP_REFERRAL_LIMIT_EXCEEDED

Result Codes Reference in Alphabetical Order

The following section contains the detailed reference information for each result code listed in alphabetical order by code name.

LDAP_ADMINLIMIT_EXCEEDED

This result code indicates that the look-through limit on a search operation has been exceeded. The look-through limit is the maximum number of entries that the server will check when gathering a list of potential search result candidates.

Note: When working with Directory Server, keep in mind the following:

If you are bound as the root DN, the server sets an infinite look-through limit.
If you are not bound as the root DN, the server sets a time limit.

#define LDAP_ADMINLIMIT_EXCEEDED 0x0b /* 11 */

LDAP_AFFECTS_MULTIPLE_DSAS

This result code indicates that the requested operation needs to be performed on multiple servers, where this operation is not permitted.

#define LDAP_AFFECTS_MULTIPLE_DSAS 0x47 /* 71 */

LDAP_ALIAS_DEREF_PROBLEM

This result code indicates that a problem occurred when dereferencing an alias.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_ALIAS_DEREF_PROBLEM 0x24 /* 36 */

LDAP_ALIAS_PROBLEM

This result code indicates that the alias is invalid.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_ALIAS_PROBLEM 0x21 /* 33 */

LDAP_ALREADY_EXISTS

This result code indicates that the request is attempting to add an entry that already exists in the directory. Directory Server sends this result code back to the client in the following situations:

The request is an add request, and the entry already exists in the directory.
The request is a modify DN request, and the new DN of the entry already identifies another entry.
The request is adding an attribute to the schema, and an attribute with the specified name or object identifier (OID) already exists.

#define LDAP_ALREADY_EXISTS 0x44 /* 68 */

LDAP_AUTH_UNKNOWN

This result code indicates that an unknown authentication method was specified.

Note: LDAP C SDK library sets this result code if ldap_bind() or ldap_bind_s() are called and an authentication method other than LDAP_AUTH_SIMPLE is specified. These functions only allow you to use simple authentication.

#define LDAP_AUTH_UNKNOWN 0x56 /* 86 */

LDAP_BUSY

This result code indicates that the server is currently too busy to perform the requested operation.

#define LDAP_BUSY 0x33 /* 51 */

LDAP_CLIENT_LOOP

This result code indicates that the LDAP client detected a loop, for example, when following referrals.

#define LDAP_CLIENT_LOOP 0x60 /* 96 */

LDAP_COMPARE_FALSE

This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is not present in the specified entry.

#define LDAP_COMPARE_FALSE 0x05 /* 5 */

LDAP_COMPARE_TRUE

This result code is returned after an LDAP compare operation is completed. The result indicates that the specified attribute value is present in the specified entry.

#define LDAP_COMPARE_TRUE 0x06 /* 6 */

LDAP_CONFIDENTIALITY_REQUIRED

This result code indicates that confidentiality is required for the operation.

#define LDAP_CONFIDENTIALITY_REQUIRED 0x0d /* 13 */

LDAP_CONNECT_ERROR

This result code indicates that the LDAP client cannot establish a connection, or has lost the connection, with the LDAP server. LDAP C SDK sets this result code. If you have not established an initial connection with the server, verify that you have specified the correct host name and port number and that the server is running.

#define LDAP_CONNECT_ERROR 0x5b /* 91 */

LDAP_CONSTRAINT_VIOLATION

This result code indicates that a value in the request does not comply with certain constraints. Directory Server sends this result code back to the client in the following situations:

The request adds or modifies the userpassword attribute, and one of the following is true:
- The server is configured to check the password syntax, and the length of the new password is less than the minimum password length.
- The server is configured to check the password syntax, and the new password is the same as one of the values of the uid, cn, sn, givenname, ou, or mail attributes.
- The server is configured to keep a history of previous passwords, and the new password is the same as one of the previous passwords. The request is a bind request, and the user is locked out of the account. (For example, the server can be configured to lock a user out of the account after a given number of failed attempts to bind to the server.)

#define LDAP_CONSTRAINT_VIOLATION 0x13 /* 19 */

LDAP_CONTROL_NOT_FOUND

This result code indicates that a requested LDAP control was not found. LDAP C SDK sets this result code when parsing a server response for controls and not finding the requested controls. For example:

ldap_parse_entrychange_control() is called, but no entry change notification control is found in the server‚Äö√Ñ√¥s response.
ldap_parse_sort_control() is called, but no server-side sorting control is found in the server‚Äö√Ñ√¥s response.
ldap_parse_virtuallist_control() is called, but no virtual list view response control is found in the server‚Äö√Ñ√¥s response.

#define LDAP_CONTROL_NOT_FOUND 0x5d /* 93 */

LDAP_DECODING_ERROR

This result code indicates that the LDAP client encountered an error when decoding the LDAP response received from the server.

#define LDAP_DECODING_ERROR 0x54 /* 84 */

LDAP_ENCODING_ERROR

This result code indicates that the LDAP client encountered an error when encoding the LDAP request to be sent to the server.

#define LDAP_ENCODING_ERROR 0x53 /* 83 */

LDAP_FILTER_ERROR

This result code indicates that an error occurred when specifying the search filter. LDAP C SDK sets this result code if it cannot encode the specified search filter in an LDAP search request.

#define LDAP_FILTER_ERROR 0x57 /* 87 */

LDAP_INAPPROPRIATE_AUTH

This result code indicates that the type of credentials are not appropriate for the method of authentication used. Directory Server sends this result code back to the client if simple authentication is used in a bind request, but the entry has no userpassword attribute; also, if LDAP_SASL_EXTERNAL is attempted on a non-SSL connection.

#define LDAP_INAPPROPRIATE_AUTH 0x30 /* 48 */

LDAP_INAPPROPRIATE_MATCHING

This result code indicates that an extensible match filter in a search request contained a matching rule that does not apply to the specified attribute type.

#define LDAP_INAPPROPRIATE_MATCHING 0x12 /* 18 */

LDAP_INDEX_RANGE_ERROR

This result code indicates that the search results exceeded the range specified by the requested offsets. This result code applies to search requests that contain virtual list view controls.

#define LDAP_INDEX_RANGE_ERROR 0x3D /* 61 */

LDAP_INSUFFICIENT_ACCESS

This result code indicates that the client has insufficient access to perform the operation. Check that the user you are authenticating as has the appropriate permissions.

#define LDAP_INSUFFICIENT_ACCESS 0x32 /* 50 */

LDAP_INVALID_CREDENTIALS

This result code indicates that the credentials provided in the request are invalid. Directory Server sends this result code back to the client if a bind request contains the incorrect credentials for a user or if a user‚Äö√Ñ√¥s password has already expired.

#define LDAP_INVALID_CREDENTIALS 0x31 /* 49 */

LDAP_INVALID_DN_SYNTAX

This result code indicates than an invalid DN has been specified. Directory Server sends this result code back to the client if an add request or a modify DN request specifies an invalid DN. It also sends this code when an LDAP_SASL_EXTERNAL bind is attempted but certification to DN mapping fails.

#define LDAP_INVALID_DN_SYNTAX 0x22 /* 34 */

LDAP_INVALID_SYNTAX

This result code indicates that the request contains invalid syntax. Directory Server sends this result code back to the client in the following situations:

The server encounters an access control instruction (ACI) with invalid syntax.
The request attempts to add or modify an aci attribute, and the value of the attribute is an ACI with invalid syntax.
The request is a search request with a substring filter, and the syntax of the filter is invalid.
The request is a modify request that is attempting to modify the schema, but no values are provided (for example, the request might be attempting to delete all values of the objectclass attribute).

#define LDAP_INVALID_SYNTAX 0x15 /* 21 */

LDAP_IS_LEAF

This result code indicates that the specified entry is a leaf entry.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_IS_LEAF 0x23 /* 35 */

LDAP_LOCAL_ERROR

This result code indicates that an error occurred in the LDAP client, though it may also be returned by Directory Server.

#define LDAP_LOCAL_ERROR 0x52 /* 82 */

LDAP_LOOP_DETECT

This result code indicates that the server was unable to perform the requested operation because of an internal loop.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_LOOP_DETECT 0x36 /* 54 */

LDAP_MORE_RESULTS_TO_RETURN

This result code indicates that there are more results in the chain of results. The LDAP C SDK sets this result code when the ldap_parse_sasl_bind_result() function is called to retrieve the result code of an operation, and additional result codes from the server are available in the LDAP structure.

#define LDAP_MORE_RESULTS_TO_RETURN 0x5f /* 95 */

LDAP_NAMING_VIOLATION

This result code indicates that the request violates the structure of the DIT.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_NAMING_VIOLATION 0x40 /* 64 */

LDAP_NO_MEMORY

This result code indicates that no memory is available. LDAP C SDK sets this result code if a function cannot allocate memory (for example, when creating an LDAP request or an LDAP control).

#define LDAP_NO_MEMORY 0x5a /* 90 */

LDAP_NO_OBJECT_CLASS_MODS

This result code indicates that the request is attempting to modify an object class that should not be modified (for example, a structural object class).

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_NO_OBJECT_CLASS_MODS 0x45 /* 69 */

LDAP_NO_RESULTS_RETURNED

This result code indicates that no results were returned from the server. The LDAP C SDK sets this result code when the ldap_parse_result() function is called but no result code is included in the server‚Äö√Ñ√¥s response.

#define LDAP_NO_RESULTS_RETURNED 0x5E /* 94 */

LDAP_NO_SUCH_ATTRIBUTE

This result code indicates that the specified attribute does not exist in the entry. Directory Server might send this result code back to the client if, for example, a modify request specifies the modification or removal of a non-existent attribute or if a compare request specifies a non-existent attribute.

#define LDAP_NO_SUCH_ATTRIBUTE 0x10 /* 16 */

LDAP_NO_SUCH_OBJECT

This result code indicates that the server cannot find an entry specified in the request. Directory Server sends this result code back to the client if it cannot find a requested entry and it cannot refer your client to another LDAP server.

#define LDAP_NO_SUCH_OBJECT 0x20 /* 32 */

LDAP_NOT_ALLOWED_ON_NONLEAF

This result code indicates that the requested operation is allowed only on entries that do not have child entries (leaf entries as opposed to branch entries). Directory Server sends this result code back to the client if the request is a delete request or a modify DN request and the entry is a parent entry. You cannot delete or move a branch of entries in a single operation.

#define LDAP_NOT_ALLOWED_ON_NONLEAF 0x42 /* 66 */

LDAP_NOT_ALLOWED_ON_RDN

This result code indicates that the requested operation will affect the RDN of the entry. Directory Server sends this result code back to the client if the request is a modify request that deletes attribute values from the entry that are used in the RDN of the entry. (For example, the request removes the attribute value uid=bjensen from the entry uid=bjensen,ou=People,dc=example,dc=com.)

#define LDAP_NOT_ALLOWED_ON_RDN 0x43 /* 67 */

LDAP_NOT_SUPPORTED

This result code indicates that the LDAP client is attempting to use functionality that is not supported. LDAP C SDK sets this result code if the client identifies itself as an LDAP v2 client, and the client is attempting to use functionality available in LDAP v3. For example:

You are passing LDAP controls to a function.
You are calling ldap_extended_operation() , ldap_extended_operation_s(), or ldap_parse_extended_result() to request an extended operation or to parse an extended response.
You are calling ldap_rename() or ldap_rename_s(), and you are specifying a new superior DN as an argument.
You are calling ldap_sasl_bind(), ldap_sasl_bind_s(), or ldap_parse_sasl_bind_result() to request Simple Authentication and Security Layer (SASL) authentication or to parse a SASL bind response.
You are calling ldap_parse_virtuallist_control() to parse a virtual list control from the server‚Äö√Ñ√¥s response.

If you want to use these features, make sure to specify that your LDAP client is an LDAP v3 client.

#define LDAP_NOT_SUPPORTED 0x5c /* 92 */

LDAP_OBJECT_CLASS_VIOLATION

This result code indicates that the request specifies a new entry or a change to an existing entry that does not comply with the server‚Äö√Ñ√¥s schema. Directory Server sends this result code back to the client in the following situations:

The request is an add request, and the new entry does not comply with the schema. For example, the new entry does not have all the required attributes, or the entry has attributes that are not allowed in the entry.
The request is a modify request, and the change will make the entry non compliant with the schema. For example, the change removes a required attribute or adds an attribute that is not allowed.

Check the server error logs for more information, and the schema for the type of entry that you are adding or modifying.

#define LDAP_OBJECT_CLASS_VIOLATION 0x41 /* 65 */

LDAP_OPERATIONS_ERROR

This is a general result code indicating that an error has occurred. Directory Server might send this code if, for example, memory cannot be allocated on the server. To troubleshoot this type of error, check the server‚Äö√Ñ√¥s error logs. You may need to increase the log level of the server to get additional information.

#define LDAP_OPERATIONS_ERROR 0x01 /* 1 */

LDAP_OTHER

This result code indicates than an unknown error has occurred. This error may be returned by Directory Server when an error occurs that is not better described using another LDAP error code. When this error occurs, check the server’s error logs. You may need to increase the log level of the server to get additional information.

#define LDAP_OTHER 0x50 /* 80 */

LDAP_PARAM_ERROR

This result code indicates that an invalid parameter was specified. LDAP C SDK sets this result code if a function was called and invalid parameters were specified, for example, if the LDAP structure is NULL.

#define LDAP_PARAM_ERROR 0x59 /* 89 */

LDAP_PARTIAL_RESULTS

Directory Server sends this result code to LDAP v2 clients to refer them to another LDAP server. When sending this code to a client, the server includes a new line-delimited list of LDAP URLs that identifies another LDAP server. If the client identifies itself as an LDAP v3 client in the request, an LDAP_REFERRAL result code is sent instead of this result code.

#define LDAP_PARTIAL_RESULTS 0x09 /* 9 */

LDAP_PROTOCOL_ERROR

This result code indicates that the LDAP client‚Äö√Ñ√¥s request does not comply with the LDAP. Directory Server sends this result code back to the client in the following situations:

The server cannot parse the incoming request.
The request specifies an attribute type that uses a syntax not supported by the server.
The request is a SASL bind request, but your client identifies itself as an LDAP v2 client.
The request is a bind request that specifies an unsupported version of the LDAP. Make sure to specify whether your LDAP client is an LDAP v2 client or an LDAP v3 client.
The request is an add or a modify request that specifies the addition of an attribute type to an entry, but no values are specified.
The request is a modify request, and one of the following is true:
- An unknown modify operation is specified (an operation other than LDAP_MOD_ADD, LDAP_MOD_DELETE, and LDAP_MOD_REPLACE).
- No modifications are specified.
The request is a modify DN request, and one of the following is true:
- The new RDN is not a valid RDN.
- A new superior DN is specified, but your client identifies itself as an LDAP v2 client.
The request is a search request, and one of the following is true:
- An unknown scope is specified, meaning a scope other than LDAP_SCOPE_BASE , LDAP_SCOPE_ONELEVEL, or LDAP_SCOPE_SUBTREE .
- An unknown filter type is specified.
- The filter type LDAP_FILTER_GE or LDAP_FILTER_LE is specified, but the type of attribute contains values that cannot be ordered. (For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.)
- The request contains an extensible filter (a filter using matching rules), but your client identifies itself as an LDAP v2 client.
- The request contains an extensible filter (a filter using matching rules), but the matching rule is not supported by the server.
The request is a search request with a server-side sorting control, and one of the following is true:
- The server does not have a syntax plug-in that supports the attribute used for sorting.
- The syntax plug-in does not have a function for comparing values of the attribute. (This compare function is used for sorting.)
- The type of attribute specified for sorting contains values that cannot be sorted in any order. For example, if the attribute type uses a binary syntax, the values of the attribute contain binary data, which cannot be sorted.
- The server encounters an error when creating the sorting response control (the control to be sent back to the client).
- When sorting the results, the time limit or the look-through limit is exceeded. The look-through limit is the maximum number of entries that the server will check when gathering a list of potential search result candidates.
The request is an extended operation request, and the server does not support the extended operation. In Directory Server, extended operations are supported through extended operation server plug-ins. Make sure that the server is loading a plug-in that supports the extended operation. Check the OID of the extended operation in your LDAP client to make sure that it matches the OID of the extended operation registered in the server plug-in.
An authentication method other than LDAP_AUTH_SIMPLE or LDAP_AUTH_SASL is specified.

To troubleshoot this type of error, check the server‚Äö√Ñ√¥s error logs. You may need to increase the log level of the server to get additional information.

#define LDAP_PROTOCOL_ERROR 0x02 /* 2 */

LDAP_REFERRAL

This result code indicates that the server is referring the client to another LDAP server. When sending this code to a client, the server includes a list of LDAP URLs that identify another LDAP server. This result code is part of the LDAP v3. For LDAP v2 clients, Directory Server sends an LDAP_PARTIAL_RESULTS result code instead.

#define LDAP_REFERRAL 0x0a /* 10 */

LDAP_REFERRAL_LIMIT_EXCEEDED

This result code indicates that the referral hop limitwas exceeded. LDAP C SDK sets this result code, when following referrals, if the client is referred to other servers more times than allowed by the referral hop limit.

#define LDAP_REFERRAL_LIMIT_EXCEEDED 0x61 /* 97 */

LDAP_RESULTS_TOO_LARGE

This result code indicates that the results of the request are too large.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_RESULTS_TOO_LARGE 0x46 /* 70 */

LDAP_SASL_BIND_IN_PROGRESS

This result code is used in multi stage SASL bind operations. The server sends this result code back to the client to indicate that the authentication process has not yet completed.

#define LDAP_SASL_BIND_IN_PROGRESS 0x0E /* 14 */

LDAP_SERVER_DOWN

This result code indicates that LDAP C SDK cannot establish a connection with, or lost the connection to, the LDAP server. If you have not established an initial connection with the server, verify that you have specified the correct host name and port number and that the server is running.

#define LDAP_SERVER_DOWN 0x51 /* 81 */

LDAP_SIZELIMIT_EXCEEDED

This result code indicates that the maximum number of search results to return has been exceeded. This limit is specified in the search request. If you specify no size limit, the server will set one. When working with Directory Server, keep in mind the following:

If you are bound as the root DN and specify no size limit, the server enforces no size limit at all.
If you are not bound as the root DN and specify no size limit, the server sets the size limit to the value specified by the sizelimit directive in the server‚Äö√Ñ√¥s slapd.conf configuration file.
If the size limit that you specify exceeds the value specified by the sizelimit directive in the server‚Äö√Ñ√¥s slapd.conf configuration file, the server uses the size limit specified in the configuration file.

#define LDAP_SIZELIMIT_EXCEEDED 0x04 /* 4 */

LDAP_SORT_CONTROL_MISSING

This result code indicates that server did not receive a required server-side sorting control. Directory Server sends this result code back to the client if the server receives a search request with a virtual list view control but no server-side sorting control as the virtual list view control requires a server-side sorting control.

#define LDAP_SORT_CONTROL_MISSING 0x3C /* 60 */

LDAP_STRONG_AUTH_NOT_SUPPORTED

This result code is returned as the result of a bind operation. It indicates that the server does not recognize or support the specified authentication method.

#define LDAP_STRONG_AUTH_NOT_SUPPORTED 0x07 /* 7 */

LDAP_STRONG_AUTH_REQUIRED

This result code indicates that a stronger method of authentication is required to perform the operation.

#define LDAP_STRONG_AUTH_REQUIRED 0x08 /* 8 */

LDAP_SUCCESS

This result code indicates that the LDAP operation was successful.

#define LDAP_SUCCESS 0x00 /* 0 */

LDAP_TIMELIMIT_EXCEEDED

This result code indicates that the time limit on a search operation has been exceeded. The time limit is specified in the search request. If you specify no time limit, the server will set one. When working with Directory Server, keep in mind the following:

If you are bound as the root DN and specify no time limit, the server enforces no limit at all.
If you are not bound as the root DN and specify no time limit, the server sets the time limit.
If the time limit that you specify exceeds the time limit specified for the server configuration, the server uses the time limit specified in its configuration.

#define LDAP_TIMELIMIT_EXCEEDED 0x03 /* 3 */

LDAP_TIMEOUT

This result code indicates that the LDAP client timed out while waiting for a response from the server. LDAP C SDK sets this result code in the LDAP structure if the time-out period (for example, in a search request) has been exceeded and the server has not responded.

#define LDAP_TIMEOUT 0x55 /* 85 */

LDAP_TYPE_OR_VALUE_EXISTS

This result code indicates that the request attempted to add an attribute type or value that already exists. Directory Server sends this result code back to the client in the following situations:

The request attempts to add values that already exist in the attribute.
The request is adding an attribute to the schema of the server, but the OID of the attribute is already used by an object class in the schema.
The request is adding an object class to the schema of the server, and one of the following occurs:
- The object class already exists.
- The OID of the object class is already used by another object class or an attribute in the schema.
- The superior object class for this new object class does not exist.

#define LDAP_TYPE_OR_VALUE_EXISTS 0x14 /* 20 */

LDAP_UNAVAILABLE

This result code indicates that the server is unavailable to perform the requested operation.

Note: At this point, neither LDAP C SDK nor Directory Server return this result code.

#define LDAP_UNAVAILABLE 0x34 /* 52 */

LDAP_UNAVAILABLE_CRITICAL_EXTENSION

This result code indicates that the specified control or matching rule is not supported by the server. Directory Server might send back this result code if the request includes an unsupported control or if the filter in the search request specifies an unsupported matching rule.

#define LDAP_UNAVAILABLE_CRITICAL_EXTENSION 0x0c /* 12 */

LDAP_UNDEFINED_TYPE

This result code indicates that the request specifies an undefined attribute type.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_UNDEFINED_TYPE 0x11 /* 17 */

LDAP_UNWILLING_TO_PERFORM

This result code indicates that the server is unwilling to perform the requested operation. Directory Server sends this result code back to the client in the following situations:

The client has logged in for the first time and needs to change its password, but the client is requesting to perform other LDAP operations. In this situation, the result code is accompanied by an expired password control.
The request is a modify DN request, and a superior DN is specified.
The database is in read-only mode, and the request attempts to write to the directory.
The request is a delete request that attempts to delete the root DSE.
The request is a modify DN request that attempts to modify the DN of the root DSE.
The request is a modify request to modify the schema entry, and one of the following occurs:
- The operation is LDAP_MOD_REPLACE. (The server does not allow you to replace schema entry attributes.)
- The request attempts to delete an object class that is the parent of another object class.
- The request attempts to delete a read-only object class or attribute.
The server uses a database plug-in that does not implement the operation specified in the request. For example, if the database plug-in does not implement the add operation, sending an add request will return this result code.

#define LDAP_UNWILLING_TO_PERFORM 0x35 /* 53 */

LDAP_USER_CANCELLED

This result code indicates that the user cancelled the LDAP operation.

Note: Directory Server does not currently send this result code back to LDAP clients.

#define LDAP_USER_CANCELLED 0x58 /* 88 */

First I cleaned up a little in DNS with the following procedure:

renamed the system32confignetlogon.dns and netlogon.dnb files
ipconfig /registerdns
net stop netlogon
net start netlogon

Then I tried to do the following:

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

Repadmin can’t connect to a «home server», because of the following error.
Try specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

C:UsersAdministrator> repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

Repadmin can’t connect to a «home server», because of the following error.
Try

specifying a different home server with /homeserver:[dns name]

Error: An LDAP lookup operation failed with the following error:

LDAP Error 82(0x52): Local Error

Server Win32 Error 0(0x0):

Extended Information:

So I tried the same 3 commands on the RESTORED domain controller.

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM /force

repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration, DC=DOMAIN,DC=COM /force

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=configuration, DC=DOMAIN,DC=COM
/force

DsReplicaSync() failed with status 8418 (0x20e2):

The replication operation failed because of a schema mismatch between the servers involved.

C:UsersAdministrator > repadmin /replicate RESTORED_SERVER1.DOMAIN.COM WORKING_DC.DOMAIN.COM CN=schema,CN=configuration,
DC=DOMAIN,DC=COM /force

DsReplicaSync() failed with status 8451 (0x2103):

The replication operation encountered a database error.

Any help would be appreciated :-)

The core LDAPv3 specification in RFC 4511 defines a number of result codes that are intended to be used in LDAP responses. This chapter describes each of those result codes, the types of operations for which that result code may be returned, and some of the potential causes for it. However, it does not attempt to provide every possible cause for every result code, since different directory servers have different capabilities, and some servers use different result codes for the same purpose. Further, because LDAP is an extensible protocol, and especially because it provides support for controls and extended operations, there may be yet-to-be-created conditions that warrant the use of a particular result code for an unexpected type of operation.

success (0)

Applicable operation types: add, bind, delete, extended, modify, modify DN, search

The success result code is used to indicate that the associated operation completed successfully. At least for some definition of success. It doesn’t necessarily mean that every single part of the operation completed exactly as intended. For example, if the request included a non-critical control that the server couldn’t honor for some reason, then it’s acceptable for the server to proceed as if the control hadn’t been included in the request and to return a response with the success result code if it completed all of the processing not related to that control.

For an add operation, the success result code indicates that the provided entry was created in the DIT.

For a bind operation, the success result code indicates that the provided credentials were valid, that the client connection was successfully authenticated as the target account, and that any requested authorization was applied.

For a delete operation, a success result code indicates that the targeted entry was removed.

For an extended operation, a success result code indicates that whatever processing is indicated for the associated request was completed without error. However, not all types of extended operations use the success result code for this purpose (for example, the cancel extended operation uses the canceled (118) result code to indicate that the target operation was successfully canceled). Just because an extended operation doesn’t return a result code of success doesn’t mean that an error occurred, so you should make sure that you understand the expected behavior for any extended operation that you expect to use.

For a modify operation, a success result code indicates that the request changes were applied to the targeted entry.

For a modify DN operation, a success result code indicates that the targeted entry was renamed or moved.

For a search operation, a success result code indicates that all appropriate search results were returned. There may have been matching entries (or attributes within matching entries) that weren’t returned because the client wasn’t permitted to access them or because they were otherwise outside the bounds of the search constraints.

Compare operations should never use the success result code. A compare operation that completes successfully should return either compareTrue (6) if the assertion matched or compareFalse (5) if it did not.

operationsError (1)

Applicable operation types: add, compare, delete, extended, modify, modify DN, search

The operationsError result code indicates that the operation could not be processed because it wasn’t in the expected order relative to other operations on the same connection. Some of the reasons that the server might return a response with an operationsError result code include:

If an unauthenticated client sends a request that is only allowed for authenticated clients. In that case, the client should perform a bind to authenticate and then re-try the original request.
If a client sends any request on a connection that is actively processing a bind, or if a client sends a non-bind request in the middle of a multi-stage SASL bind operation. Clients should not send any other requests on a connection while a bind is in progress.
If a client sends a StartTLS extended request on a connection that has already been secured.
If a client sends a StartTLS extended request on a connection that has one or more outstanding requests already in progress. The client should wait for any outstanding requests to complete before sending a StartTLS request.

Some directory servers incorrectly use the operationsError result code as if it meant “server error”. This isn’t the intended use for the operationsError result code, and the other (80) result code is the correct one to use for this purpose, but some servers do it nonetheless.

protocolError (2)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The protocolError result code indicates that there was a problem with the client’s use of the LDAP protocol. Some of the possible causes for the protocolError result code are:

If the client sends a request that the server cannot parse. This may be a malformed LDAP message, an LDAP message with an unrecognized protocol operation type, or any other kind of improperly-formatted request. In some of these cases, it may be possible for the server to include the protocolError result code in a response to the requested operation, but this can only happen if the server can decode the request enough to determine the appropriate message ID and operation type for the response. But for many malformed requests, the server won’t be able to respond directly to that request, and will instead need to use the notice of disconnection unsolicited notification with a protocolError result code before terminating the connection.
If the client sends a bind request with an unrecognized LDAP protocol version. At this point, clients should only ever use LDAPv3. Although some clients and servers still support LDAPv2, it was declared historic by RFC 3494 in 2003, and should no longer be used. Similarly, because LDAPv3 is highly extensible, there will probably never be a need for an LDAPv4.
If the client sends an extended request with an unrecognized request OID. Clients should generally look at the supportedExtension attribute of a server’s root DSE to determine what types of extended operations the server supports before sending any extended requests.
If the client sends an LDAP request with an illegal combination of critical controls. Before using multiple controls in an LDAP request, you should make sure that they can all be used together.

timeLimitExceeded (3)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The timeLimitExceeded result code indicates that the associated operation failed because it hadn’t completed by the time a maximum processing time limit had been reached. This result code can technically be returned in response to any kind of operation, but it’s most commonly used for searches because they have the most potential to take a very long time to complete (especially if the search matches a large number of entries or if the server doesn’t have the indexes necessary to process the request efficiently) and because only search requests allow the client to specify an upper bound for how long it wants the server to spend processing the operation.

Even though the client can specify the desired time limit in the search request, directory servers generally treat this as an upper bound. The server may impose its own time limit for the operation, and that time limit may be more restrictive than the one the client requested.

If a search operation fails with a timeLimitExceeded result code, then the server may have already returned a subset of the entries matching the search criteria. However, the client should not assume that this is the complete set of matching entries, and should not necessarily assume that they were returned in any particular order (unless the search request included a critical server-side sort request control).

The timeLimitExceeded result code may also be used in cases where the request is received by one LDAP server (or LDAP proxy server), and is then forwarded on to another server for processing. In the event the backend server takes too long to respond to this request, the intermediate server may give up and return a response with a timeLimitExceeded result code. If the requested operation is intended to alter the contents of the server, then the associated changes may or may not eventually be applied.

sizeLimitExceeded (4)

Applicable operation types: search

The sizeLimitExceeded result code indicates that the associated search operation failed because the server has determined that the number of entries that would be returned in response to the search would exceed the upper bound for that operation.

As with the timeLimitExceeded (3) result code, every search request includes an element that specifies the maximum size limit that the client wants to use, but the server may impose its own limit that is lower than the limit requested by the client. And the server may or may not have already returned some number of entries before encountering the size limit.

compareFalse (5)

Applicable operation types: compare

The compareFalse result code indicates that the associated compare request targeted an entry that exists and that contains the targeted attribute, but does not have any value that matches the provided assertion value.

compareTrue (6)

Applicable operation types: compare

The compareTrue result code indicates that the associated compare request targeted an entry that exists and that contains the targeted attribute with a value that matches the provided assertion value.

authMethodNotSupported (7)

Applicable operation types: bind

The authMethodNotSupported result code indicates that the associated bind operation failed because the client attempted to authenticate with a mechanism that the server does not support or that it does not allow the client to use. This result code can be returned in response to a simple bind request if the server does not permit simple authentication. It can be returned in response to a SASL bind request if the server does not support the requested SASL mechanism, or if the client is not allowed to authenticate with that SASL mechanism.

strongerAuthRequried (8)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The strongerAuthRequired (formerly strongAuthRequired) result code indicates that the server requires the client to authenticate with a stronger form of authentication.

If the strongerAuthRequired result code is received in response to a bind request, it indicates that the server requires a stronger form of authentication for that client. The client should try authenticating with a stronger mechanism.

If the strongerAuthRequired result code is received in response to some other type of request, it indicates that the requested operation is only allowed for clients that have completed some stronger form of authentication. The client should try authenticating with a stronger mechanism, and then re-submit the request that triggered this result code.

If the strongerAuthRequired result code is received in a notice of disconnection unsolicited notification, it indicates that the server believes that the security of the communication channel between the client and the server has failed or become compromised, and is terminating the connection as a result. The client should establish a new connection and negotiate a new security layer for that connection.

referral (10)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The referral result code indicates that the request cannot be processed exactly as issued, but that it might succeed if re-issued to a different server, or is updated to target a different location in the DIT. If the client supports following referrals, then it shouldn’t treat this as an error, but rather as an indication that the request needs to be tried again based on the information contained in the referral.

Some of the reasons that the server might return a response with the referral result code are:

If the server is operating in a mode in which it cannot process the request but is aware of other servers that may be able to process it. For example, if a request attempts to apply some change to the data in a read-only server, then that server might use a referral to redirect the client to a server that supports write operations.
If the DIT is broken up across multiple servers and the client targets an entry in a portion of the DIT that is not contained locally. If the directory server is aware of the servers that are expected to contain the targeted entry, then it may use a referral to redirect the client to those servers.
If the request targets an entry at or below a “smart referral” in the DIT. A smart referral is a special kind of entry with the referral structural object class and the ref operational attribute whose values are the URIs that should be included in the response.

When processing a search operation, the referral result code should only be used when locating the base entry for the search (for example, if the search base DN references an entry known to be in a portion of the DIT housed elsewhere, or if it resides at or below a smart referral entry). If the entry targeted by the search base DN is held locally but one or more portions of the search scope might require the client to issue the search elsewhere, then those referral URIs should be returned to the client in the form of search result reference messages.

It is also possible that the referral result code could be returned in response to a bind request. If the referral URIs indicate that the client should send the bind request to a different server, then it is generally recommended that the client send all subsequent operations to the same server targeted by the bind referral. If a client follows a bind referral to a different server, then the original server will not have any knowledge of that bind attempt, and its authentication state will not have been updated to reflect the success or failure of the bind in the other server.

Clients must be aware of the possibility that a request sent in response to a referral could itself yield another referral. This could happen, for example, if the server that returned the previous referral had outdated information about the location of the targeted entry, or if the referral targeted a server that was temporarily unable to process the request. Any client that supports following referrals should be prepared to receive nested referrals, and should also have some mechanism for detecting and avoiding referral loops (in which one referral contains a URI that indicates that the client should send a request that it has already sent). This could be accomplished by ensuring that the client remembers all of the request details for each attempt at processing a given operation, and having that client abort if it would send a request that it has already sent. Alternately, it could be accomplished by maintaining a counter that is to be incremented each time the client follows a referral and having the client abort if the counter reaches a specified value. RFC 4511 section 4.1.10 indicates that a client must be able to handle at least ten nested referrals (but honestly, that seems pretty excessive).

If the client detects a referral loop, then it should use the clientLoop (96) client-side result code. If the server detects a referral loop (for example, when attempting to automatically follow a referral on behalf of the client), then the loopDetect (54) result code is more appropriate.

Referrals are described in detail in RFC 4511 section 4.1.10, including the behavior that clients should exhibit when encountering referrals. The basic rules are:

If the referral URI includes a base DN value, then the client should use that DN in its next request. If the referral URI does not include a base DN, then the client should use the same DN as it used for the request that triggered the referral.
If a referral URI returned in response to a search request includes a search filter, then the client should use that filter in the request that it issues when following the referral. If the referral URI does not include a filter, then the client should use the same filter as it used for the request that triggered the referral.
If a referral URI returned in response to a search request includes a search scope, then the client should use that scope in the request that it issues when following the referral. If the referral URI does not include a scope, then the client should use the same scope as it used for the request that triggered the referral.

Other considerations for following referrals include:

If the referral URI does not specify the address of the server to which the request is to be sent, then it generally indicates that the request should be sent to the same server but with different parameters. This is especially true for a referral URI that has a different base, scope, or filter than the request that triggered the referral. However, RFC 4516 does indicate that if a client encounters an LDAP URL without a host, then the client may be expected to have some a priori knowledge of the appropriate server to which the request should be sent.
If a client needs to establish a new connection when following a referral, then the client should ensure that the new connection has at least the same level of security as the original connection. For example, if the original connection was protected with TLS, then the client should negotiate TLS security on any new connection that it establishes when following that referral.
If a client needs to establish a new connection when following a referral for any type of operation other than a bind, the client should ensure that the new connection is authenticated before sending the referral request. Unless the client has specific knowledge that different credentials or a different authentication method are required when following the referral, it should use the same authentication method and credentials for any new connection that it establishes when following that referral.

adminLimitExceeded (11)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The adminLimitExceeded result code indicates that some administrative limit within the server was exceeded while processing the request. RFC 4511 does not provide any specific guidance on when this result code might be returned, but draft-just-ldapv3-rescodes suggests that a server might return it if there is some upper bound on the number of entries that it will examine in the course of processing a search. In fact, several directory servers do enforce such a limit, and that limit is often referred to as a lookthrough limit.

Another instance in which this result code might be returned would be in the case of a server that supports the subtree delete request control as described in draft-armijo-ldap-treedelete. If the server imposes an upper limit on the size of a subtree that may be deleted, then the server may return the adminLimitExceeded result code when trying to delete a subtree that contains more than that number of entries.

unavailableCriticalExtension (12)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The unavailableCriticalExtension result code indicates that the request includes a control with a criticality of true, but that control could not be honored for some reason. Some of the potential causes for this result code include:

The server does not support the requested control. It’s generally a good idea for clients to look at the supportedControl operational attribute in the server’s root DSE to determine which request controls the server supports before using any controls.
The requested control is not applicable to the requested type of operation (for example, if a server-side sort request control is included in an add request).
The requested control is only supported for the requested type of operation when the request matches certain criteria, but those criteria were not satisfied (for example, the virtual list view request control can only be used in a search request that also includes the server-side sort request control).
The requested control is only supported for entries in some portion of the DIT, but the request targets content in a location where the control is not supported (for example, some controls may only be supported when targeting user entries, but not when targeting server-provided entries like the root DSE, schema subentry, or configuration entries).

confidentialityRequired (13)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The confidentialityRequired result code indicates that the server is only willing to process the requested operation if it is received over a secure connection that does not allow an eavesdropper to decipher or alter the contents of the request or response. For example, a server may only permit operations that involve clear-text passwords (like a simple bind request or a password modify extended request) to be requested over a secure connection and could return this result code in response to an attempt to send a clear-text password over an insecure connection.

If a client receives the confidentialityRequired result code, then it should take steps to secure the existing connection (for example, using the StartTLS extended operation, or by binding with a SASL mechanism that supports the auth-conf quality of protection), or to establish a new secure connection (for example, using a TLS-based connection) before re-sending the request.

saslBindInProgress (14)

Applicable operation types: bind

The saslBindInProgress result code indicates that the server has completed a portion of the processing for the provided SASL bind request, but that it needs additional information from the client to complete the authentication. Certain SASL mechanisms, like CRAM-MD5, DIGEST-MD5, and GSSAPI, require multiple stages of processing and therefore require multiple request-response cycles with the server, and the saslBindInProgress result code is used in all bind responses except for the last one in the sequence (which will indicate whether the bind succeeded or failed).

This is not an error result, but it does mean that the client needs to send another bind request with the same SASL mechanism and additional credentials. The client must not send any other requests on the connection until it has sent a bind request and the server has returned a bind response with a non-saslBindInProgress result code. If a client sends any other kind of request in the middle of a multi-stage SASL bind, the server should reject that request with an operationsError (1) result code.

noSuchAttribute (16)

Applicable operation types: compare, modify

The noSuchAttribute result code indicates that the request targeted an attribute that does not exist in the specified entry.

For a compare request, it indicates that the targeted entry exists, but does not have any values for the attribute used in the compare assertion.

For a modify request, it indicates that the request attempted to delete one or more attribute values that don’t exist in the targeted entry, that the request attempted to delete an entire attribute that does not have any values in the targeted entry, or that attempted to increment the value of an attribute that does not have any values in the targeted entry.

undefinedAttributeType (17)

Applicable operation types: add, modify

The undefinedAttributeType result code indicates that the request attempted to provide one or more values for an attribute type that is not defined in the server schema.

For an add request, it indicates that the provided entry included an attribute for which there is no corresponding attribute type definition in the schema.

For a modify request, it indicates that a modification attempted to add one or more values, or to replace the entire set of values, for an attribute type that is not defined in the server schema.

inappropriateMatching (18)

Applicable operation types: search

The inappropriateMatching result code indicates that the search request tried to perform some type of matching that is not supported for the target attribute type. Some of the potential causes for this result code include:

If the search filter contains an equality component that targets an attribute type without an equality matching rule.
If the search filter contains a greater-or-equal or less-or-equal component that targets an attribute type without an ordering matching rule.
If the search filter contains a substring component that targets an attribute type without a substring matching rule.
If the search filter contains an approximate-match component that targets an attribute type for which approximate matching is not supported.
If an extensible match filter attempts to use a matching rule in combination with an attribute type for which the requested matching rule is not supported.
If a search request includes a server-side sort request control with a sort key that does not specify a matching rule and for which the attribute type does not have an ordering matching rule.
If a search request includes a server-side sort request control with a sort key that specifies a matching rule that is not supported for the target attribute type.

constraintViolation (19)

Applicable operation types: add, modify, modify DN

The constraintViolation result code indicates that the requested operation would have resulted in an entry that violates some constraint defined within the server. Some of the potential causes for this result code are:

If the requested operation would have resulted in a single-valued attribute having multiple values.
If the server is configured to ensure that no two entries are allowed to have the same value for a particular attribute type, and the requested operation would have resulted in an entry with a value that is already in use in some other entry in the server.
If the requested operation would have resulted in an attribute with at least one value that conforms to the syntax of the associated attribute type, but that violates some other constraint defined for that attribute (for example, if the server would have required a numeric value within a particular range, but the provided value was outside of that range).

attributeOrValueExists (20)

Applicable operation types: add, modify

The attributeOrValueExists result code indicates that the requested operation would have resulted in an attribute in which the same value appeared more than once.

For an add request, it indicates that at least one of the attributes in the provided entry had a duplicate value.

For a modify request, it indicates that either an add or replace modification included the same value multiple times, or that an add modification attempted to add a value that already exists in the entry.

invalidAttributeSyntax (21)

Applicable operation types: add, modify

The invalidAttributeSyntax result code indicates that the requested add or modify operation would have resulted in an entry that had at least one attribute value that does not conform to the constraints of the associated attribute syntax.

noSuchObject (32)

Applicable operation types: add, compare, delete, extended, modify, modify DN, search

The noSuchObject result code indicates that the requested operation targeted an entry that does not exist within the DIT.

For an add request, it means that the immediate parent of the entry to be added does not exist and that the DN of the entry to be added does not match any of the configured naming contexts.

For a compare, delete, or modify request, it indicates that the targeted entry does not exist.

For a modify DN request, it indicates that either the targeted entry does not exist, or that the provided new superior DN references an entry that does not exist.

For a search request, it indicates that the entry targeted by the search base DN does not exist.

The noSuchObject result code is not supposed to be returned in response to a bind operation. The invalidCredentials (49) result code should be used when the bind request targets an entry that does not exist, but some directory servers are known to incorrectly use the noSuchObject result code in this case.

A response that includes the noSuchObject result code may also include a matched DN to specify the DN of the nearest ancestor to the provided DN that does exist in the DIT. For example, if a modify request targets the nonexistent uid=missing,ou=People,dc=example,dc=com entry, but the ou=People,dc=example,dc=com entry does exist, then the modify response should have a result code of noSuchObject and a matched DN of ou=People,dc=example,dc=com. However, if none of the ancestors for the targeted entry exist in the DIT, or if the client does not have permission to access any of those ancestor entries, then the matched DN should be omitted from the response.

aliasProblem (33)

Applicable operation types: search

The aliasProblem result code indicates that a problem occurred while attempting to dereference an alias during search processing. For example, it may be used if an alias is encountered that references an entry that does not exist. In such cases, the search result done response may also include a matched DN that specifies the nearest ancestor to the dereferenced entry that does exist in the DIT.

Aliases are only to be dereferenced in the course of processing a search operation, so this result code does not apply to any other type of operation. If an alias-related problem is encountered for any other type of operation (for example, if a non-search operation targets an entry that is an alias), then the aliasDereferencingProblem (36) result code should be used.

invalidDNSyntax (34)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The invalidDNSyntax result code indicates that the request included a malformed entry DN. It may indicate that the provided DN does not conform to the syntax specified in RFC 4514, or that one or more of the attribute values included in the DN does not conform to the associated attribute syntax.

For an add, compare, delete, or modify request, it indicates that the provided target entry DN is malformed.

For a simple bind request, it indicates that the provided target entry DN is malformed. For a SASL bind request, it indicates that the authentication or authorization identity was specified using a malformed DN.

For a modify DN request, this indicates that at least one of the target entry DN, the new RDN, or the new superior DN is malformed.

For a search request, it indicates that the search base DN is malformed.

In the event that the server is able to partially decode the provided DN, the response may also include a matched DN that specifies the nearest ancestor to the decodable portion of the DN that does exist within the server and that the requester has permission to access.

aliasDereferencingProblem (36)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The aliasDereferencingProblem result code indicates that the server encountered an alias while processing the request and that there was some problem related to that alias.

The draft-just-ldapv3-rescodes draft suggests that this result code should only be returned for a search operation, especially if the client does not have permission to access the aliased entry, or if the client does not have permission to access the aliasedObjectName attribute in the alias entry. However, RFC 4511 also suggests that it may be returned in the event that an operation targets an alias entry in a manner that is not allowed. For example, aliases are not allowed to be dereferenced when processing non-search operations, so the aliasDereferencingProblem result code may be used to indicate that the targeted DN matched or was subordinate to the DN of an alias entry.

inappropriateAuthentication (48)

Applicable operation types: bind

The inappropriateAuthentication result code indicates that the client attempted to bind in an inappropriate manner that is inappropriate for the target account. Some possible reasons for this result code include:

The client attempted to perform anonymous authentication, but the server does not permit anonymous authentication.
The client attempted to perform a type of authentication for which the target account does not have an appropriate set of credentials. For example, this result code may be returned if a client attempts to perform a password-based bind when the target user’s entry does not contain a password.
The client attempted to perform a type of authentication that is not allowed for that client. For example, the client attempted to perform a lower-security type of authentication (like simple authentication or SASL PLAIN) when a stronger method (e.g., a client certificate or a two-factor mechanism) is required.

invalidCredentials (49)

Applicable operation types: bind

The invalidCredentials result code indicates that the client attempted to bind with a set of credentials that cannot be used to authenticate. Some of the potential reasons that this result code might be returned are:

The bind request targeted a user that does not exist.
The client tried to authenticate with an incorrect password.
The client tried to authenticate with a SASL bind request that included non-password credentials that could not be successfully verified.
The bind request targeted a user that is not permitted to authenticate for some reason (for example, because the account has been locked, the user’s password has expired, etc.).

insufficientAccessRights (50)

Applicable operation types: add, compare, delete, extended, modify, modify DN, search

The insufficientAccessRights result code indicates that the client requested an operation for which it does not have the necessary access control permissions, with the following caveats:

This result code should not be returned in response to a bind request. The invalidCredentials (49) result code is the correct one to use for that.
This result code should only be returned in response to a search request if there is a problem with the search request itself (for example, if the client isn’t able to access the entry specified as the search base DN, or if it isn’t able to search with the provided filter). If there are any search result entries that the client doesn’t have permission to access, those entries should simply be omitted from the results that are returned to the client with no impact on the result code.
This result code should not be returned in response to a search request if the base DN targets an alias entry that references an entry the client does not have permission to access. The aliasDereferencingProblem (36) result code is the correct one to use for that.

busy (51)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The busy result code indicates that the requested operation cannot be processed because the server is currently too busy. The client may wish to re-submit the request at a later time or send it to a different server.

unavailable (52)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The unavailable result code indicates that the server is currently not available to process the requested operation. Some of the uses for this result code include:

If the server is in the process of shutting down and is no longer accepting requests.
If the server is in the process of starting up but is not yet ready to accept requests.
If a portion of the server is unavailable for some reason. For example, a directory server might return this result code if an administrative operation (e.g., importing data from LDIF, restoring a backup, rebuilding indexes, etc.) has made a portion of the DIT inaccessible.
If the server depends on an external resource that is currently unavailable. For example, an LDAP proxy server might return this result code if all of the backend servers are unreachable.

If a client receives an unavailable result, it may wish to re-submit the request at a later time or send it to a different server.

unwillingToPerform (53)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The unwillingToPerform result code indicates that the server is not willing to process the requested operation for some reason. This is a fairly generic result code that may be used if the server refuses to process an operation for a reason that is not covered by a more specific result code. If there is a more specific result code, then that should be used instead. For example, if the client doesn’t have the necessary access control permissions that the operation requires, the server should return insufficientAccessRights (50) instead of unwillingToPerform.

There are many potential causes for this result code. Some of them include:

If a simple bind request includes a DN but no password. This was allowed by the original LDAPv3 specification (RFC 2251), and the server was to treat it as an anonymous simple bind just like if both the bind DN and password elements of the bind request had been empty. However, this behavior was responsible for a number of security vulnerabilities in poorly-written applications (in which they didn’t bother to check whether the password was empty before using it to bind). The revised LDAPv3 specification (RFC 4513 section 5.1.2) now recommends rejecting a simple bind request with a DN but no password with the unwillingToPerform result code.
If the server can determine that the requested operation would be too expensive to process. For example, the server may reject a search request if it can determine that it does not have an appropriate set of indexes in place that would be needed to process that search efficiently.
If an add or modify request attempts to write values for attributes that are declared as NO-USER-MODIFICATION in the server schema.

loopDetect (54)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The loopDetect result code indicates that the server detected some kind of circular reference in the course of processing an operation. Some of the potential causes for this result code are:

If the server supports aliases and the process of dereferencing an alias eventually leads the server back to an alias entry that it has already encountered.
If the server supports following referrals on behalf of the client and it receives a referral that would require the server to issue a request to a server to which it has already issued that same request.
If the server supports chaining and it detects a chaining loop between servers.

In some cases, the server may use the loopDetect result code even if it hasn’t actually detected a loop. For example, some servers use a counter to keep track of the number of hops they’ve had to make when following a reference, and may assume that there’s a loop if the number of hops would exceed some maximum.

namingViolation (64)

Applicable operation types: add, modify DN

The namingViolation result code indicates that the requested add or modify DN operation would have resulted in an entry that violates some naming constraint within the server. Some of the potential causes for this result code are:

The operation would have resulted in an entry whose DN violates the constraints for a name form. Name forms may be used to restrict which attribute types can be used in an entry’s RDN based on the structural object class for that entry.
The operation would have resulted in an entry that violates the constraints for a DIT structure rule. DIT structure rules may be used to ensure that entries with a specified structural object class can only have entries with one of a specified set of structural classes as their immediate subordinates.
The request would have resulted in an entry that exists below an alias entry. All alias entries must be leaf entries.

objectClassViolation (65)

Applicable operation types: add, modify, modify DN

The objectClassViolation result code indicates that the requested operation would have resulted in an entry that has an inappropriate set of object classes, or whose attributes violate the constraints associated with its set of object classes. Some of the possible reasons for this include:

The entry would have included an object class that is not defined in the schema.
The entry would not have included any structural object class.
The entry would have included multiple structural object classes.
The entry would have included an auxiliary object class that is not permitted to be used in conjunction with its structural object class.
The entry would have included an abstract object class that is not a superclass for any of the structural or auxiliary object classes for that entry.
The entry would have been missing an attribute that is required by one of its object classes or its DIT content rule.
The entry would have included an object class that is not permitted by any of its object classes, or that is prohibited by its DIT content rule.

notAllowedOnNonLeaf (66)

Applicable operation types: delete, modify DN

The notAllowedOnNonLeaf result code indicates that the requested operation is only supported for leaf entries, but the targeted entry has one or more subordinates.

For a delete request, this indicates that the targeted entry has one or more subordinate entries. Under normal circumstances, a delete request is only allowed to remove leaf entries, although some servers may provide support for a control (like the one described in draft-armijo-ldap-treedelete) that allow removing an entry and all of its subordinates in a single request.

For a modify DN request, this indicates that the targeted entry has one or more subordinate entries and that the server does not support moving or renaming entries with subordinates. Some servers do support this capability, but others do not.

notAllowedOnRDN (67)

Applicable operation types: modify

The notAllowedOnNonRDN result code indicates that the requested modify operation would have resulted in an entry that does not include all of the attributes used in its RDN. The following modification types are not allowed:

A delete modification without any values (indicating that the entire attribute should be removed from the entry) that targets an attribute type used in the entry’s RDN.
A delete modification with one or more values, including an attribute value used in the entry’s RDN.
A replace modification without any values (indicating that the entire attribute should be removed from the entry) that targets an attribute type used in the entry’s RDN.
A replace modification with one or more values (indicating that only the provided values should be used for that attribute) that targets an attribute type used in the entry’s RDN, but that omits a value used in the entry’s RDN.

If you wish to remove an attribute value from an entry, but that value is used in the entry’s RDN, you should use a modify DN request that specifies a new RDN that does not use that value, and whose “delete old RDN” flag is set to true. Standard LDAP does not provide a single type of operation that allows altering both an entry’s DN and other attributes in the entry that are not included in its DN, although some types of directory servers may provide some way to accomplish this in an atomic manner. For example, if a server supports LDAP transactions as described in RFC 5805, then a transaction may include both a modify DN request to update the entry’s DN and a modify request to make other changes to the entry’s attribute values.

entryAlreadyExists (68)

Applicable operation types: add, modify DN

The entryAlreadyExists result code indicates that the requested operation would have resulted in an entry with the same DN as an entry that already exists in the server.

For an add request, it means that the server already contains an entry whose DN matches the DN contained in the request.

For a modify DN request without a new superior DN, it means that the server already contains an entry below the same parent of the targeted entry whose RDN matches the new RDN contained in the request.

For a modify DN request with a new superior DN, it means that the server already contains an entry below the specified new superior DN whose RDN matches the new RDN contained in the request.

objectClassModsProhibited (69)

Applicable operation types: modify

The objectClassModsProhibited result code indicates that the requested modify operation would have altered the target entry’s set of object classes in a way that is not supported. This is typically returned in response to a modify request that would cause the target entry to have a different structural object class.

Changing an entry’s structural object class is technically permitted by LDAP, but many servers do not support it because it can require a substantial amount of validation effort to ensure that the changes do not violate any constraints. In addition to all of the validation normally associated with a modify operation, changing an entry’s structural object class requires the following additional validation:

Identifying the new DIT content rule (if any) that applies to the entry and ensuring that all of its constraints are satisfied, including required attribute types, prohibited attribute types, and permitted auxiliary object classes.

Identifying the new name form (if any) that applies to the entry and ensuring that the entry’s RDN satisfies all of its constraints, including ensuring that the RDN has all required attribute types and does not include any attribute types that are not permitted.

Identifying the DIT structure rule (if any) that applies to the entry and ensuring that the entry is still permitted to exist beneath its parent.

Identifying the DIT structure rules (if any) that apply to each of the entry’s subordinates and ensuring that they are still permitted to exist beneath the entry.

affectsMultipleDSAs (71)

Applicable operation types: add, delete, extended, modify, modify DN

The affectsMultipleDSAs result code indicates that the requested operation would have required manipulating information in multiple servers in a way that is not supported. Some of the potential conditions in which you might see this result code are:

If the directory environment is configured so that different portions of the DIT are held in different servers (or in different databases in the same server), and a modify DN operation would require moving an entry from one server (or database) to another.
If the directory environment is configured with data split across multiple servers (or multiple databases in the same server), and a transaction targets entries in multiple servers (or databases).
If the directory environment is configured with data in a given subtree split across multiple servers (or multiple databases within the same server), and a subtree delete request would require removing entries from multiple servers (or databases).
If the directory environment is configured so that entries within the same portion of the DIT may be split up across multiple servers (a practice sometimes called “sharding” or “entry balancing”), and a modify or modify DN operation would require moving an entry from one server to another.
If the directory environment is configured so that entries within the same portion of the DIT may be split up across multiple servers, and in which each of those servers has the same parent entry at the top of that split DIT, and an operation attempts to add, delete, or modify that parent entry in a manner that would require the operation to be processed across all servers.

other (80)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The other result code is used when a problem occurs for which none of the other result codes is more appropriate. It is the correct result code to use in the event that an internal error occurs within the server (although some servers mistakenly use operationsError (1) for this purpose), but the other result code may be used for additional kinds of problems as well.

Источник

Remove From My Forums

Восстановление нормальных отношений внутри домена.

Вопрос
В наличии есть 2 DC. Сначала был SBS через полгода добавился DC на 2008 r2. И всё было хорошо. Однако, как выяснелось, полгода назад SBS был выключен (а ведь на нём были роли FSMO) и позавчера включён. Есть ли шанс их всё же реплицировать?

Ответы

- Предложено в качестве ответа
  
  1 октября 2013 г. 9:01
- Изменено
  Petko KrushevMicrosoft contingent staff, Moderator
  1 октября 2013 г. 9:03
- Отменено предложение в качестве ответа
  Schriftsteller
  2 октября 2013 г. 9:22
- Помечено в качестве ответа
  Schriftsteller
  2 октября 2013 г. 12:17

Источник

we are struggling since a few days with a strange ldap error. The following code worked fine for more than a year. Suddenly it returns an local error (0x52) for a few user CNs.

The relevant code is (connect and bind always work, only the search fails for some user CNs):

$ldapconn = ldap_connect("LDAP URL")
    or die("Connection failed.");

ldap_bind($ldapconn, 'USERNAME', 'PASSWORD')
    or die("Binding failed");

$ldapsearch = ldap_search($ldapconn, '', '(&(uniqueMember=CN=FIRSTNAME LASTNAME,O=COMPANY)(objectClass=groupOfNames))')
    or die("Search failed: ".ldap_error($ldapconn));

The strange thing on this is that this code works for the most users, but for a few it does not.

So for example:

$ldapsearch = ldap_search($ldapconn, '', '(&(uniqueMember=CN=FIRSTNAME_1 LASTNAME_1,O=COMPANY)(objectClass=groupOfNames))')
    -> works

$ldapsearch = ldap_search($ldapconn, '', '(&(uniqueMember=CN=FIRSTNAME_2 LASTNAME_2,O=COMPANY)(objectClass=groupOfNames))')
    -> fails

But both CN definitly exists (in softerra ldap browser both search commands work, also in Lotus Notes both Users seem identical, only with some ldap clients and the php code it fails).

We also found the following statement from ibm on this page:
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/apis/ldap_error_condt.htm

0x52 - Some local error occurred. This usually indicates that either the LDAP support (IBM® i option 32) is not installed on the system, or a malloc() operation has failed

Ldap support is installed and we have no idea where the memory allocation error could possibly be.

If you need any more information, please let me know.

Any help is appreciated

UPDATE:

We tried the search on CentOS with the cli and got the same local error (so its not a php ldap problem, more likely its a problem with the notes domino server):

ldapsearch -D "USERNAME" -w PASSWORD -h LDAP_URL -b "" -s sub "(&(uniqueMember=CN=FIRSTNAME LASTNAME,O=COMPANY)(objectClass=groupOfNames))"
    -> ldap_result: Local error (-2)

The error occurs always for the same users. The user CNs where the problem appears are without special chars or similar and doesn’t contain double first or surnames.

Источник

success (0)

Applicable operation types: add, bind, delete, extended, modify, modify DN, search

For an add operation, the success result code indicates that the provided entry was created in the DIT.

For a delete operation, a success result code indicates that the targeted entry was removed.

For a modify operation, a success result code indicates that the request changes were applied to the targeted entry.

For a modify DN operation, a success result code indicates that the targeted entry was renamed or moved.

operationsError (1)

Applicable operation types: add, compare, delete, extended, modify, modify DN, search

If an unauthenticated client sends a request that is only allowed for authenticated clients. In that case, the client should perform a bind to authenticate and then re-try the original request.
If a client sends any request on a connection that is actively processing a bind, or if a client sends a non-bind request in the middle of a multi-stage SASL bind operation. Clients should not send any other requests on a connection while a bind is in progress.
If a client sends a StartTLS extended request on a connection that has already been secured.
If a client sends a StartTLS extended request on a connection that has one or more outstanding requests already in progress. The client should wait for any outstanding requests to complete before sending a StartTLS request.

protocolError (2)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The protocolError result code indicates that there was a problem with the client’s use of the LDAP protocol. Some of the possible causes for the protocolError result code are:

If the client sends a request that the server cannot parse. This may be a malformed LDAP message, an LDAP message with an unrecognized protocol operation type, or any other kind of improperly-formatted request. In some of these cases, it may be possible for the server to include the protocolError result code in a response to the requested operation, but this can only happen if the server can decode the request enough to determine the appropriate message ID and operation type for the response. But for many malformed requests, the server won’t be able to respond directly to that request, and will instead need to use the notice of disconnection unsolicited notification with a protocolError result code before terminating the connection.
If the client sends a bind request with an unrecognized LDAP protocol version. At this point, clients should only ever use LDAPv3. Although some clients and servers still support LDAPv2, it was declared historic by RFC 3494 in 2003, and should no longer be used. Similarly, because LDAPv3 is highly extensible, there will probably never be a need for an LDAPv4.
If the client sends an extended request with an unrecognized request OID. Clients should generally look at the supportedExtension attribute of a server’s root DSE to determine what types of extended operations the server supports before sending any extended requests.
If the client sends an LDAP request with an illegal combination of critical controls. Before using multiple controls in an LDAP request, you should make sure that they can all be used together.

timeLimitExceeded (3)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

Even though the client can specify the desired time limit in the search request, directory servers generally treat this as an upper bound. The server may impose its own time limit for the operation, and that time limit may be more restrictive than the one the client requested.

sizeLimitExceeded (4)

Applicable operation types: search

compareFalse (5)

Applicable operation types: compare

compareTrue (6)

Applicable operation types: compare

authMethodNotSupported (7)

Applicable operation types: bind

strongerAuthRequried (8)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The strongerAuthRequired (formerly strongAuthRequired) result code indicates that the server requires the client to authenticate with a stronger form of authentication.

referral (10)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

Some of the reasons that the server might return a response with the referral result code are:

If the server is operating in a mode in which it cannot process the request but is aware of other servers that may be able to process it. For example, if a request attempts to apply some change to the data in a read-only server, then that server might use a referral to redirect the client to a server that supports write operations.
If the DIT is broken up across multiple servers and the client targets an entry in a portion of the DIT that is not contained locally. If the directory server is aware of the servers that are expected to contain the targeted entry, then it may use a referral to redirect the client to those servers.
If the request targets an entry at or below a “smart referral” in the DIT. A smart referral is a special kind of entry with the referral structural object class and the ref operational attribute whose values are the URIs that should be included in the response.

Referrals are described in detail in RFC 4511 section 4.1.10, including the behavior that clients should exhibit when encountering referrals. The basic rules are:

If the referral URI includes a base DN value, then the client should use that DN in its next request. If the referral URI does not include a base DN, then the client should use the same DN as it used for the request that triggered the referral.
If a referral URI returned in response to a search request includes a search filter, then the client should use that filter in the request that it issues when following the referral. If the referral URI does not include a filter, then the client should use the same filter as it used for the request that triggered the referral.
If a referral URI returned in response to a search request includes a search scope, then the client should use that scope in the request that it issues when following the referral. If the referral URI does not include a scope, then the client should use the same scope as it used for the request that triggered the referral.

Other considerations for following referrals include:

If the referral URI does not specify the address of the server to which the request is to be sent, then it generally indicates that the request should be sent to the same server but with different parameters. This is especially true for a referral URI that has a different base, scope, or filter than the request that triggered the referral. However, RFC 4516 does indicate that if a client encounters an LDAP URL without a host, then the client may be expected to have some a priori knowledge of the appropriate server to which the request should be sent.
If a client needs to establish a new connection when following a referral, then the client should ensure that the new connection has at least the same level of security as the original connection. For example, if the original connection was protected with TLS, then the client should negotiate TLS security on any new connection that it establishes when following that referral.
If a client needs to establish a new connection when following a referral for any type of operation other than a bind, the client should ensure that the new connection is authenticated before sending the referral request. Unless the client has specific knowledge that different credentials or a different authentication method are required when following the referral, it should use the same authentication method and credentials for any new connection that it establishes when following that referral.

adminLimitExceeded (11)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

unavailableCriticalExtension (12)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The server does not support the requested control. It’s generally a good idea for clients to look at the supportedControl operational attribute in the server’s root DSE to determine which request controls the server supports before using any controls.
The requested control is not applicable to the requested type of operation (for example, if a server-side sort request control is included in an add request).
The requested control is only supported for the requested type of operation when the request matches certain criteria, but those criteria were not satisfied (for example, the virtual list view request control can only be used in a search request that also includes the server-side sort request control).
The requested control is only supported for entries in some portion of the DIT, but the request targets content in a location where the control is not supported (for example, some controls may only be supported when targeting user entries, but not when targeting server-provided entries like the root DSE, schema subentry, or configuration entries).

confidentialityRequired (13)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

saslBindInProgress (14)

Applicable operation types: bind

noSuchAttribute (16)

Applicable operation types: compare, modify

The noSuchAttribute result code indicates that the request targeted an attribute that does not exist in the specified entry.

For a compare request, it indicates that the targeted entry exists, but does not have any values for the attribute used in the compare assertion.

undefinedAttributeType (17)

Applicable operation types: add, modify

The undefinedAttributeType result code indicates that the request attempted to provide one or more values for an attribute type that is not defined in the server schema.

For an add request, it indicates that the provided entry included an attribute for which there is no corresponding attribute type definition in the schema.

For a modify request, it indicates that a modification attempted to add one or more values, or to replace the entire set of values, for an attribute type that is not defined in the server schema.

inappropriateMatching (18)

Applicable operation types: search

If the search filter contains an equality component that targets an attribute type without an equality matching rule.
If the search filter contains a greater-or-equal or less-or-equal component that targets an attribute type without an ordering matching rule.
If the search filter contains a substring component that targets an attribute type without a substring matching rule.
If the search filter contains an approximate-match component that targets an attribute type for which approximate matching is not supported.
If an extensible match filter attempts to use a matching rule in combination with an attribute type for which the requested matching rule is not supported.
If a search request includes a server-side sort request control with a sort key that does not specify a matching rule and for which the attribute type does not have an ordering matching rule.
If a search request includes a server-side sort request control with a sort key that specifies a matching rule that is not supported for the target attribute type.

constraintViolation (19)

Applicable operation types: add, modify, modify DN

If the requested operation would have resulted in a single-valued attribute having multiple values.
If the server is configured to ensure that no two entries are allowed to have the same value for a particular attribute type, and the requested operation would have resulted in an entry with a value that is already in use in some other entry in the server.
If the requested operation would have resulted in an attribute with at least one value that conforms to the syntax of the associated attribute type, but that violates some other constraint defined for that attribute (for example, if the server would have required a numeric value within a particular range, but the provided value was outside of that range).

attributeOrValueExists (20)

Applicable operation types: add, modify

The attributeOrValueExists result code indicates that the requested operation would have resulted in an attribute in which the same value appeared more than once.

For an add request, it indicates that at least one of the attributes in the provided entry had a duplicate value.

invalidAttributeSyntax (21)

Applicable operation types: add, modify

noSuchObject (32)

Applicable operation types: add, compare, delete, extended, modify, modify DN, search

The noSuchObject result code indicates that the requested operation targeted an entry that does not exist within the DIT.

For an add request, it means that the immediate parent of the entry to be added does not exist and that the DN of the entry to be added does not match any of the configured naming contexts.

For a compare, delete, or modify request, it indicates that the targeted entry does not exist.

For a modify DN request, it indicates that either the targeted entry does not exist, or that the provided new superior DN references an entry that does not exist.

For a search request, it indicates that the entry targeted by the search base DN does not exist.

aliasProblem (33)

Applicable operation types: search

invalidDNSyntax (34)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

For an add, compare, delete, or modify request, it indicates that the provided target entry DN is malformed.

For a modify DN request, this indicates that at least one of the target entry DN, the new RDN, or the new superior DN is malformed.

For a search request, it indicates that the search base DN is malformed.

aliasDereferencingProblem (36)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The aliasDereferencingProblem result code indicates that the server encountered an alias while processing the request and that there was some problem related to that alias.

inappropriateAuthentication (48)

Applicable operation types: bind

The client attempted to perform anonymous authentication, but the server does not permit anonymous authentication.
The client attempted to perform a type of authentication for which the target account does not have an appropriate set of credentials. For example, this result code may be returned if a client attempts to perform a password-based bind when the target user’s entry does not contain a password.
The client attempted to perform a type of authentication that is not allowed for that client. For example, the client attempted to perform a lower-security type of authentication (like simple authentication or SASL PLAIN) when a stronger method (e.g., a client certificate or a two-factor mechanism) is required.

invalidCredentials (49)

Applicable operation types: bind

The bind request targeted a user that does not exist.
The client tried to authenticate with an incorrect password.
The client tried to authenticate with a SASL bind request that included non-password credentials that could not be successfully verified.
The bind request targeted a user that is not permitted to authenticate for some reason (for example, because the account has been locked, the user’s password has expired, etc.).

insufficientAccessRights (50)

Applicable operation types: add, compare, delete, extended, modify, modify DN, search

The insufficientAccessRights result code indicates that the client requested an operation for which it does not have the necessary access control permissions, with the following caveats:

This result code should not be returned in response to a bind request. The invalidCredentials (49) result code is the correct one to use for that.
This result code should only be returned in response to a search request if there is a problem with the search request itself (for example, if the client isn’t able to access the entry specified as the search base DN, or if it isn’t able to search with the provided filter). If there are any search result entries that the client doesn’t have permission to access, those entries should simply be omitted from the results that are returned to the client with no impact on the result code.
This result code should not be returned in response to a search request if the base DN targets an alias entry that references an entry the client does not have permission to access. The aliasDereferencingProblem (36) result code is the correct one to use for that.

busy (51)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

unavailable (52)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The unavailable result code indicates that the server is currently not available to process the requested operation. Some of the uses for this result code include:

If the server is in the process of shutting down and is no longer accepting requests.
If the server is in the process of starting up but is not yet ready to accept requests.
If a portion of the server is unavailable for some reason. For example, a directory server might return this result code if an administrative operation (e.g., importing data from LDIF, restoring a backup, rebuilding indexes, etc.) has made a portion of the DIT inaccessible.
If the server depends on an external resource that is currently unavailable. For example, an LDAP proxy server might return this result code if all of the backend servers are unreachable.

If a client receives an unavailable result, it may wish to re-submit the request at a later time or send it to a different server.

unwillingToPerform (53)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

There are many potential causes for this result code. Some of them include:

If a simple bind request includes a DN but no password. This was allowed by the original LDAPv3 specification (RFC 2251), and the server was to treat it as an anonymous simple bind just like if both the bind DN and password elements of the bind request had been empty. However, this behavior was responsible for a number of security vulnerabilities in poorly-written applications (in which they didn’t bother to check whether the password was empty before using it to bind). The revised LDAPv3 specification (RFC 4513 section 5.1.2) now recommends rejecting a simple bind request with a DN but no password with the unwillingToPerform result code.
If the server can determine that the requested operation would be too expensive to process. For example, the server may reject a search request if it can determine that it does not have an appropriate set of indexes in place that would be needed to process that search efficiently.
If an add or modify request attempts to write values for attributes that are declared as NO-USER-MODIFICATION in the server schema.

loopDetect (54)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

The loopDetect result code indicates that the server detected some kind of circular reference in the course of processing an operation. Some of the potential causes for this result code are:

If the server supports aliases and the process of dereferencing an alias eventually leads the server back to an alias entry that it has already encountered.
If the server supports following referrals on behalf of the client and it receives a referral that would require the server to issue a request to a server to which it has already issued that same request.
If the server supports chaining and it detects a chaining loop between servers.

namingViolation (64)

Applicable operation types: add, modify DN

The operation would have resulted in an entry whose DN violates the constraints for a name form. Name forms may be used to restrict which attribute types can be used in an entry’s RDN based on the structural object class for that entry.
The operation would have resulted in an entry that violates the constraints for a DIT structure rule. DIT structure rules may be used to ensure that entries with a specified structural object class can only have entries with one of a specified set of structural classes as their immediate subordinates.
The request would have resulted in an entry that exists below an alias entry. All alias entries must be leaf entries.

objectClassViolation (65)

Applicable operation types: add, modify, modify DN

The entry would have included an object class that is not defined in the schema.
The entry would not have included any structural object class.
The entry would have included multiple structural object classes.
The entry would have included an auxiliary object class that is not permitted to be used in conjunction with its structural object class.
The entry would have included an abstract object class that is not a superclass for any of the structural or auxiliary object classes for that entry.
The entry would have been missing an attribute that is required by one of its object classes or its DIT content rule.
The entry would have included an object class that is not permitted by any of its object classes, or that is prohibited by its DIT content rule.

notAllowedOnNonLeaf (66)

Applicable operation types: delete, modify DN

The notAllowedOnNonLeaf result code indicates that the requested operation is only supported for leaf entries, but the targeted entry has one or more subordinates.

notAllowedOnRDN (67)

Applicable operation types: modify

A delete modification without any values (indicating that the entire attribute should be removed from the entry) that targets an attribute type used in the entry’s RDN.
A delete modification with one or more values, including an attribute value used in the entry’s RDN.
A replace modification without any values (indicating that the entire attribute should be removed from the entry) that targets an attribute type used in the entry’s RDN.
A replace modification with one or more values (indicating that only the provided values should be used for that attribute) that targets an attribute type used in the entry’s RDN, but that omits a value used in the entry’s RDN.

entryAlreadyExists (68)

Applicable operation types: add, modify DN

The entryAlreadyExists result code indicates that the requested operation would have resulted in an entry with the same DN as an entry that already exists in the server.

For an add request, it means that the server already contains an entry whose DN matches the DN contained in the request.

For a modify DN request with a new superior DN, it means that the server already contains an entry below the specified new superior DN whose RDN matches the new RDN contained in the request.

objectClassModsProhibited (69)

Applicable operation types: modify

Changing an entry’s structural object class is technically permitted by LDAP, but many servers do not support it because it can require a substantial amount of validation effort to ensure that the changes do not violate any constraints. In addition to all of the validation normally associated with a modify operation, changing an entry’s structural object class requires the following additional validation:

Identifying the new DIT content rule (if any) that applies to the entry and ensuring that all of its constraints are satisfied, including required attribute types, prohibited attribute types, and permitted auxiliary object classes.

Identifying the new name form (if any) that applies to the entry and ensuring that the entry’s RDN satisfies all of its constraints, including ensuring that the RDN has all required attribute types and does not include any attribute types that are not permitted.

Identifying the DIT structure rule (if any) that applies to the entry and ensuring that the entry is still permitted to exist beneath its parent.

Identifying the DIT structure rules (if any) that apply to each of the entry’s subordinates and ensuring that they are still permitted to exist beneath the entry.

affectsMultipleDSAs (71)

Applicable operation types: add, delete, extended, modify, modify DN

If the directory environment is configured so that different portions of the DIT are held in different servers (or in different databases in the same server), and a modify DN operation would require moving an entry from one server (or database) to another.
If the directory environment is configured with data split across multiple servers (or multiple databases in the same server), and a transaction targets entries in multiple servers (or databases).
If the directory environment is configured with data in a given subtree split across multiple servers (or multiple databases within the same server), and a subtree delete request would require removing entries from multiple servers (or databases).
If the directory environment is configured so that entries within the same portion of the DIT may be split up across multiple servers (a practice sometimes called “sharding” or “entry balancing”), and a modify or modify DN operation would require moving an entry from one server to another.
If the directory environment is configured so that entries within the same portion of the DIT may be split up across multiple servers, and in which each of those servers has the same parent entry at the top of that split DIT, and an operation attempts to add, delete, or modify that parent entry in a manner that would require the operation to be processed across all servers.

other (80)

Applicable operation types: add, bind, compare, delete, extended, modify, modify DN, search

Источник

Глава 12. Ошибки и устранение неисправностей LDAP

Журналы OpenLDAP

Contents

Result Codes Summary in Numerical Order

Result Codes Reference in Alphabetical Order

LDAP_ADMINLIMIT_EXCEEDED

LDAP_AFFECTS_MULTIPLE_DSAS

LDAP_ALIAS_DEREF_PROBLEM

LDAP_ALIAS_PROBLEM

LDAP_ALREADY_EXISTS

LDAP_AUTH_UNKNOWN

LDAP_BUSY

LDAP_CLIENT_LOOP

LDAP_COMPARE_FALSE

LDAP_COMPARE_TRUE

LDAP_CONFIDENTIALITY_REQUIRED

LDAP_CONNECT_ERROR

LDAP_CONSTRAINT_VIOLATION

LDAP_CONTROL_NOT_FOUND

LDAP_DECODING_ERROR

LDAP_ENCODING_ERROR

LDAP_FILTER_ERROR

LDAP_INAPPROPRIATE_AUTH

LDAP_INAPPROPRIATE_MATCHING

LDAP_INDEX_RANGE_ERROR

LDAP_INSUFFICIENT_ACCESS

LDAP_INVALID_CREDENTIALS

LDAP_INVALID_DN_SYNTAX

LDAP_INVALID_SYNTAX

LDAP_IS_LEAF

LDAP_LOCAL_ERROR

LDAP_LOOP_DETECT

LDAP_MORE_RESULTS_TO_RETURN

LDAP_NAMING_VIOLATION

LDAP_NO_MEMORY

LDAP_NO_OBJECT_CLASS_MODS

LDAP_NO_RESULTS_RETURNED

LDAP_NO_SUCH_ATTRIBUTE

LDAP_NO_SUCH_OBJECT

LDAP_NOT_ALLOWED_ON_NONLEAF

LDAP_NOT_ALLOWED_ON_RDN

LDAP_NOT_SUPPORTED

LDAP_OBJECT_CLASS_VIOLATION

LDAP_OPERATIONS_ERROR

LDAP_OTHER

LDAP_PARAM_ERROR

LDAP_PARTIAL_RESULTS

LDAP_PROTOCOL_ERROR

LDAP_REFERRAL

LDAP_REFERRAL_LIMIT_EXCEEDED

LDAP_RESULTS_TOO_LARGE

LDAP_SASL_BIND_IN_PROGRESS

LDAP_SERVER_DOWN

LDAP_SIZELIMIT_EXCEEDED

LDAP_SORT_CONTROL_MISSING

LDAP_STRONG_AUTH_NOT_SUPPORTED

LDAP_STRONG_AUTH_REQUIRED

LDAP_SUCCESS

LDAP_TIMELIMIT_EXCEEDED

LDAP_TIMEOUT

LDAP_TYPE_OR_VALUE_EXISTS

LDAP_UNAVAILABLE

LDAP_UNAVAILABLE_CRITICAL_EXTENSION

LDAP_UNDEFINED_TYPE

LDAP_UNWILLING_TO_PERFORM

LDAP_USER_CANCELLED

success (0)

operationsError (1)

protocolError (2)

timeLimitExceeded (3)

sizeLimitExceeded (4)

compareFalse (5)

compareTrue (6)

authMethodNotSupported (7)

strongerAuthRequried (8)

referral (10)

adminLimitExceeded (11)

unavailableCriticalExtension (12)

confidentialityRequired (13)

saslBindInProgress (14)