ldapguru | blog
The following table lists some important LDAP result codes that could result from transmitting a search to the directory server.
Certain non-zero result codes except for 10 (base 10) refer to some limit being exceeded and are prophylactic in nature: their presence indicates that the directory server prevented LDAP clients from monopolizing directory server resources. Administrators must never allow clients to request large numbers of entries or use unlimited amounts of server time processing a request without the client having made special arrangements. Modern, professional-quality directory servers like the UnboundID Directory Server support assigning connection and request resource limits on a per-client and per distinguished name basis.
Referrals (result code 10) are used to notify clients that the requested operation should be attempted at the server given in the referral response.
|result code||result code name||result code description|
|0||SUCCESS||The search was successful and all entries that were in scope and where the assertion value in the filter matched an attribute value were returned to the client.|
|3||TIME_LIMIT_EXCEEDED||The processing time for the search exceeded either the client-requested time limit or the server imposed time limit, whichever is shorter, before the search completed. Some entries may have been returned to the client. Applications that receive this error are taking too much time to search the directory; the directory is protecting itself against being monopolized. The client should either set a longer client-requested time limit or request that the server administrators increase the length of time the application is allotted to search the directory. The root DN is not subject to this limit.|
|4||SIZE_LIMIT_EXCEEDED||The number of entries, including the base object, that were in scope and where the assertion value in the filter matched an attribute value exceeded either the client-requested size limit or the server imposed size limit. Some entries may have been returned, but no more than the client-requested size limit or the server-imposed size limit, whichever is smaller. Applications that receive this error code are trying to retrieve more entries from the directory than the administrators allow or more than the client-requested number of entries. Applications should either use a larger client-requested size limit or request that administrators allow more entries to be returned. Using the simple paged results control does not circumvent this limit. The root DN is not subject to this limit.|
|10||REFERRAL||Directory server referred the LDAP client to another server to process the search
request. The alternate server and port is presented in the form of an LDAP URI, for example,
|11||ADMIN_LIMIT_EXCEEDED||An administrative limit would have been exceeded if the search had been successful. No entries were returned to the LDAP client. In the case of the Sun Directory Server and the UnboundID Directory Server, this administrative limit is called the *look-through limit* and refers to the maximum number of entries the server will examine in the course of processing a search request. Applications which receive this error may be 'trawling' the directory, or 'listing' the directory contents. If a legitimate business need exists this limit can be increased by the administrators. Clients cannot set this parameter in a search request. The root DN is not subject to this limit.|
Using the modern ldapsearch syntax to set a client-requested size limit:
ldapsearch --hostname localhost --port 636 --useSSL --trustAll --baseDn dc=example,dc=com --searchScope sub --sizeLimit 4 '(&)' 1.1 dn: dc=example,dc=com dn: uid=admin,dc=example,dc=com dn: ou=People,dc=example,dc=com dn: uid=user.0,ou=People,dc=example,dc=com This search operation has sent the maximum of 4 entries to the client Result Code: 4 (Size Limit Exceeded) Diagnostic Message: This search operation has sent the maximum of 4 entries to the client
Using the legacy OpenLDAP ldapsearch syntax:
ldapsearch -H ldaps://localhost:636 -x -LLL -b dc=example,dc=com -s sub -z 4 '(&)' 1.1 dn: dc=example,dc=com dn: uid=admin,dc=example,dc=com dn: ou=People,dc=example,dc=com dn: uid=user.0,ou=People,dc=example,dc=com Size limit exceeded (4) Additional information: This search operation has sent the maximum of 4 entries to the client
The examples above use
'(&)' as a search filter. Some versions of the Sun Directory Server (now
ODSEE) is not fully LDAP-compliant and does not support this legal search filter. For these
broken servers use the present filter
© 2012 Terry Gardner