Json2Ldap error codes

Json2Ldap returns an error code with a message if the JSON-RPC 2.0 request failed for some reason.

The error codes fall into the following ranges according to their type:

Range Type
1 .. ? Standard and extension-specific LDAP operation errors reported by the directory server. These are passed through without modification and their codes match the standard LDAP result codes (positive integers).
-1000 .. -1999 Errors generated by the Json2Ldap web service itself. These are typically used to indicate connection, access policy and security exceptions.
-31100 .. -31199 Access denied messages, such as access denied due to a blocked client IP address.
-32000 .. -32768 Standard JSON-RPC 2.0 protocol errors. These are codes reserved by the RPC protocol to indicate errors such as badly formatted JSON-RPC 2.0 requests or invalid method parameters.

Here is an example JSON-RPC 2.0 response that reports an invalid / expired LDAP connection token:

{ "error"   : { "code"    : -1000,
                "message" : "Invalid\/expired LDAP connection identifier (CID)" },
  "id"      : 1,
  "jsonrpc" : "2.0" }

Some error responses may contain additional diagnostic information in the error data field, for example:

{
 "error"   : { "code"    : -1031,
               "message" : "LDIF exception",
               "data"    : "Unexpected space found at the beginning of 
                            the first line for an LDIF entry on or near
                            line number 1."},
 "id"      : 1,
 "jsonrpc" : "2.0"
}

The exact format of error responses is described in the JSON-RPC 2.0 specification.

Json2Ldap keeps error messages deliberately concise. To obtain more information about the cause of an error examine the Json2Ldap log file (logging must be enabled at INFO level).

LDAP specific errors

Errors with a code above zero indicate an exception reported by the directory server during processing of an LDAP request. The codes can be standard, reserved by the LDAP protocol (codes in the range from 0 to 90, see RFC 2251) as well as extension specific (codes above 90).

The encapsulating HTTP response has a status code 460 (since v3.5).

Here is a list of some of the LDAP specific errors:

Code Message
2 LDAP error: Protocol error
3 LDAP error: Time limit exceeded
4 LDAP error: Size limit exceeded
7 LDAP error: Auth method not supported
8 LDAP error: Strong auth required
11 LDAP error: Admin limit exceeded
12 LDAP error: Unavailable critical extension
13 LDAP error: Confidentiality required
16 LDAP error: No such attribute
17 LDAP error: Undefined attribute type
18 LDAP error: Inappropriate matching
19 LDAP error: Constraint violation
20 LDAP error: Attribute or value exists
21 LDAP error: Invalid attribute syntax
32 LDAP error: No such object
33 LDAP error: Alias problem
34 LDAP error: Invalid DN syntax
36 LDAP error: Alias dereferencing problem
48 LDAP error: Inappropriate authentication
49 LDAP error: Invalid credentials
50 LDAP error: Insufficient access rights
52 LDAP error: Unavailable
53 LDAP error: Unwilling to perform
54 LDAP error: Loop detect
64 LDAP error: Naming violation
65 LDAP error: Object class violation
66 LDAP error: Not allowed on non-leaf
67 LDAP error: Not allowed on RDN
68 LDAP error: Entry already exists
69 LDAP error: Object client mods prohibited
80 LDAP error: Other
81 LDAP error: Server down
82 LDAP error: Local error
83 LDAP error: Encoding error
84 LDAP error: Decoding error
85 LDAP error: Timeout
86 LDAP error: Auth unknown
87 LDAP error: Filter error
90 LDAP error: No memory

Json2Ldap specific exceptions

Exceptions with codes between -1000 and -1999 originate from the Json2Ldap web service itself.

These are divided into the following categories:

  • -1000 .. -1099 Common errors

  • -1100 .. -1199 LDAP server connection, TLS/SSL and network errors

  • -1200 .. -1299 Bind (authentication) request errors

  • -1300 .. -1399 Errors related to LDAP read operation requests

  • -1400 .. -1499 Errors related to LDAP write operation requests

  • -1500 .. -1599 Errors related to LDAP extended requests

  • -1600 .. -1699 Errors related to LDAP schema information requests

  • -1700 .. -1799 Custom Json2Ldap extension errors

The encapsulating HTTP response has a status code 461 (since v3.5).

Here is the complete list of the Json2Ldap web service specific errors:

Code Message
-1000 Invalid/expired LDAP connection identifier (CID)
-1005 Incomplete LDAP connection / bind request
-1010 Requests must be submitted over HTTP secure (HTTPS)
-1020 Parameter with bad BASE-64 encoding
-1030 LDIF read exception
-1031 LDIF exception
-1032 Empty LDIF record
 
-1100 LDAP server connect error
-1101 Unknown LDAP server host
-1102 No route to LDAP server host
-1103 LDAP server down or invalid host/port
-1104 Network TCP/IP protocol error
-1105 Network I/O error
-1106 LDAP connection timeout
-1120 Connections to the specified LDAP server are not allowed
-1121 Default connections disabled
-1122 Exhausted connection quota for this client IP
-1123 Exhausted connection quota for this Json2Ldap evaluation version
-1124 LDAP connection with TLS/SSL security required
-1130 Json2Ldap TLS/SSL keystore exception
-1131 TLS/SSL error
-1132 TLS/SSL error: Invalid or untrusted certificate
-1133 StartTLS error
 
-1200 Exhausted connection quota for this user
-1201 Relay of bind (authentication) requests is disabled
-1202 Bind (authentication) is required
 
-1300 Relay of LDAP read requests is disabled
-1303 Bad page cookie format
 
-1400 Relay of LDAP write requests is disabled
-1401 The LDIF record must be of changetype ADD
-1402 The LDIF record must be of changetype MODIFY
-1403 One or more modifications must be specified
-1404 The LDIF record must be of changetype DELETE
 
-1500 Relay of "Password Modify" requests is disabled
-1501 Relay of "Who am I?" requests is disabled
 
-1600 Schema not available
-1601 No such object class
-1602 No such attribute type
-1603 No such matching rule
-1604 No such matching rule use
-1605 No such syntax
 
-1710 SRP-6a authentication disabled
-1711 This SRP-6a request requires a default LDAP connection
-1712 Illegal SRP-6a authentication session state
-1713 SRP-6a session timeout
-1714 Bad SRP-6a authentication credentials
-1715 The SRP-6a public client value 'A' must be hex encoded
-1716 The SRP-6a client evidence message 'M1' must be hex encoded
-1717 The SRP-6a salt 's' must be hex encoded
-1718 The SRP-6a verifier 'v' must be hex encoded
-1719 SRP-6a salt 's' byte size not accepted
-1720 Internal SRP-6a authentication exception

Access denied messages

This section lists JSON-RPC 2.0 errors indicating the client was denied access to Json2Ldap, e.g. due to a blocked client IP address.

The encapsulating HTTP response has a status code 401 or 403 (since v3.5).

Code Message HTTP status
-31100 Requests must be sent over HTTPS 401
-31105 Client IP address denied access 403
 
-31110 Trusted client X.509 certificate required 401
-31111 Invalid client X.509 certificate principal DN 401
-31112 Client X.509 certificate principal denied 403
 
-31120 API key filter requires named JSON-RPC 2.0 parameters 401
-31121 Missing API key 401
-31123 API key denied access 403

JSON-RPC 2.0 specific errors

Errors with codes between -32000 and -32768 are reserved by the JSON-RPC 2.0 specification to indicate a general protocol exception.

The encapsulating HTTP response has a status code 400 except for the -32603 Internal error where the HTTP status code is 500 (since v3.5).

Code Message HTTP status
-32700 JSON parse error 400
-32600 Invalid request 400
-32601 Method not found 400
-32602 Invalid parameters 400
-32603 Internal error 500