Openldap Error 2
Contents |
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About
Ldap Error Codes
Us Learn more about Stack Overflow the company Business Learn more about hiring active directory ldap error codes developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a
Microsoft Ldap Error Codes
question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers ldap error code 49 acceptsecuritycontext error data 52e v1db1 are voted up and rise to the top ldap_add: Protocol error (2) additional info: no attributes provided up vote 2 down vote favorite I'm following this guide to migrate existing users in /etc/passwd and /etc/group on a RHEL6 machine to a new, external OpenLDAP server. I'm trying to apply this file: # cat people_group.ldif dn: ou=People, dc=my_domain, dc=com ou: People objectclass: organizationalUnit dn: ou=Group, dc=my_domain, dc=com ou: ldap error code 32 Group objectclass: organizationalUnit I get this error: # ldapadd -x -W -D "cn=admin,dc=my_domain,dc=com" -H ldaps://my_hostname.my_domain.com -f people_group.ldif Enter LDAP Password: adding new entry "ou=People, dc=my_domain, dc=com ou: People objectclass: organizationalUnit" ldap_add: Protocol error (2) additional info: no attributes provided If I skip this file and go to add the next file, I get a different error: # ldapadd -x -W -D "cn=admin,dc=my_domain,dc=com" -H ldaps://my_hostname.my_domain.com -f group.ldif Enter LDAP Password: adding new entry "cn=some_group,ou=Group,dc=my_domain,dc=com" ldap_add: No such object (32) I'm guessing it can't find ou=Group, which has to be created by the first command that's giving an error. Is that right? Here's the first entry in group.ldif: dn: cn=some_group,ou=Group,dc=my_domain,dc=com objectClass: posixGroup objectClass: top cn: my_domain userPassword: {crypt}x gidNumber: 500 Here's the output of ldapsearch on the actual OpenLDAP server: # ldapsearch -H ldapi:/// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base
causes of LDAP errors C.1.1. ldap_*: Can't contact LDAP server The Can't contact LDAP server error is usually returned when the LDAP server cannot be contacted. This may occur for many
Ldap Error Code 49 - Invalid Credentials
reasons: the LDAP server is not running; this can be checked by running, ldap error code 53 - unwilling to perform for example, telnet
Ldap: Error Code 49 - 80090308: Ldaperr: Dsid-0c0903a8
on. the client has not been instructed to contact a running server; with OpenLDAP command-line tools this is accomplished by providing the -H switch, whose argument is a valid LDAP url corresponding to the http://serverfault.com/questions/734318/ldap-add-protocol-error-2-additional-info-no-attributes-provided interface the server is supposed to be listening on. C.1.2. ldap_*: No such object The no such object error is generally returned when the target DN of the operation cannot be located. This section details reasons common to all operations. You should also look for answers specific to the operation (as indicated in the error message). The most common reason for this error is non-existence of the named object. http://www.openldap.org/doc/admin24/appendix-common-errors.html First, check for typos. Also note that, by default, a new directory server holds no objects (except for a few system entries). So, if you are setting up a new directory server and get this message, it may simply be that you have yet to add the object you are trying to locate. The error commonly occurs because a DN was not specified and a default was not properly configured. If you have a suffix specified in slapd.conf eg. suffix "dc=example,dc=com" You should use ldapsearch -b 'dc=example,dc=com' '(cn=jane*)' to tell it where to start the search. The -b should be specified for all LDAP commands unless you have an ldap.conf(5) default configured. See ldapsearch(1), ldapmodify(1) Also, slapadd(8) and its ancillary programs are very strict about the syntax of the LDIF file. Some liberties in the LDIF file may result in an apparently successful creation of the database, but accessing some parts of it may be difficult. One known common error in database creation is putting a blank line before the first entry in the LDIF file. There must be no leading blank lines in the LDIF file. It is generally recommended that ldapadd(1) be used instead of slapadd(8) when adding new entries your directory. slapad
can be found in doc/rfc of the OpenLDAP source code. We have expanded the description of each error in relation to the OpenLDAP toolsets. LDAP http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html extensions may introduce extension-specific result codes, which are not part of RFC4511. OpenLDAP returns https://www.ldap.com/ldap-result-code-reference the result codes related to extensions it implements. Their meaning is documented in the extension they are related to. H.1. Non-Error Result Codes These result codes (called "non-error" result codes) do not indicate an error condition: success (0), compareFalse (5), compareTrue (6), referral (10), and saslBindInProgress (14). The success, compareTrue, and compareFalse result ldap error codes indicate successful completion (and, hence, are referred to as "successful" result codes). The referral and saslBindInProgress result codes indicate the client needs to take additional action to complete the operation. H.2. Result Codes Existing LDAP result codes are described as follows: H.3. success (0) Indicates the successful completion of an operation. Note: this code is not used with the Compare operation. See compareFalse (5) and compareTrue (6). ldap error code H.4. operationsError (1) Indicates that the operation is not properly sequenced with relation to other operations (of same or different type). For example, this code is returned if the client attempts to StartTLS (RFC4511 Section 4.14) while there are other uncompleted operations or if a TLS layer was already installed. H.5. protocolError (2) Indicates the server received data that is not well-formed. For Bind operation only, this code is also used to indicate that the server does not support the requested protocol version. For Extended operations only, this code is also used to indicate that the server does not support (by design or configuration) the Extended operation associated with the requestName. For request operations specifying multiple controls, this may be used to indicate that the server cannot ignore the order of the controls as specified, or that the combination of the specified controls is invalid or unspecified. H.6. timeLimitExceeded (3) Indicates that the time limit specified by the client was exceeded before the operation could be completed. H.7. sizeLimitExceeded (4) Indicates that the size limit specified by the client was exceeded before the operation could be completed. H.8. compareFalse (5) Indicates that the Compare operation has successfully completed and th
Server-Side Result Codes Various LDAP specifications define a number of common result codes that may be included in responses to clients. These result codes include (but are not necessarily limited to): 0: Success This indicates that the operation completed successfully. It may be returned in response to an add, bind, delete, extended, modify, modify DN, or search operations. Compare operations will not return a success result. If a compare operation does not encounter an error during processing, then the server should return a result of either "compare true" or "compare false", based on whether the target entry had the specified attribute value. 1: Operations Error This is intended to indicate that the client has requested an operation at an inappropriate time or in an incorrect order. For example, it may be used if a client sends a non-bind request in the middle of a multi-stage bind operation. Note that some directory servers use this as a generic "server error" type result. This is not the intended use for this result code (the "other" result is a better choice for this), but clients may need to be aware of this possibility. 2: Protocol Error This generally indicates that the client request was improperly formatted in some way. For a bind operation, it may indicate that the client attempted to use an unsupported LDAP protocol version. For an extended operation, it may indicate that the server does not support the extended request type. Note that this result code can only be used if the server is able to at least partially decode the request in order to determine the message ID and operation type, since the server needs that information in order to craft an appropriate response. 3: Time Limit Exceeded This indicates that a search operation took longer to complete than allowed by the maximum time limit for that operation. This may be the time limit specified by the client in the search request, or it may be a time limit imposed by the server. 4: Size Limit Exceeded This indicates that a search operation would have returned more entries than were allowed for that operation. This may be the size limit specified b