Secure LDAP service: Error code descriptions

This feature is available with Cloud Identity Premium edition. Compare editions 

The Secure LDAP service returns error codes when there's an issue in fulfilling the LDAP requests. These errors occur during the process of connecting an LDAP client and any subsequent LDAP queries after the connection. How and whether the LDAP clients expose error codes to end users depends on the specific LDAP client. The error codes described in this article are also displayed in audit logs.

PROTOCOL_ERROR (2)

  • Returned when a request specifies an unsupported LDAP version. The Secure LDAP service supports LDAP version 3.
  • Returned when a request specifies an unsupported action. Google supports Abandon, Bind, Extended (for StartTLS), Search, and Unbind. Unsupported actions are: Add, Compare, Del, Modify, and ModifyDn.
  • Returned when an Extended request specifies an unsupported Oid. Google only supports the Extended action for StartTLS (Oid 1.3.6.1.4.1.1466.20037) over a previously unsecured connection.

​AUTH_METHOD_NOT_SUPPORTED (7)

  • Returned when a Bind request specifies an unsupported authentication method. Google supports SIMPLE, SASL PLAIN, and SASL EXTERNAL.

ADMIN_LIMIT_EXCEEDED (11)

  • The Secure LDAP service has quotas for both bind and search requests. Exceeding either quota will trigger this error message.
  • The bind quota is 4 queries per second (QPS) per customer, shared over all domains owned by the customer.
  • If you see the ADMIN_LIMIT_EXCEEDED error, determine which operation (search or bind) is exceeding the quota, then try to reduce the frequency of that operation. For example, WiFi authentication using RADIUS can generate a large number of bind operations, exceeding the quota.

CONFIDENTIALITY_REQUIRED (13)

  • Returned when an SASL Bind request is issued over an unsecured connection
  • Returned when a Search request queries for anything other than server attributes and is issued over an unsecured connection

NO_SUCH_OBJECT (32)

  • Returned when searching for something that doesn't exist (for example, an unknown user, group, or organizational unit)
  • Returned when searching for a userid that isn't in the directory

INVALID_DN_SYNTAX (34)

INAPPROPRIATE_AUTHENTICATION (48)

  • Returned when a Bind request specifies a malformed, expired, or otherwise bad client certificate
  • Returned when a SASL PLAIN Bind request specifies malformed credentials, or does not specify credentials

​INSUFFICIENT_ACCESS_RIGHTS (50)

  • Returned when the the Secure LDAP service is OFF for the LDAP client
  • Returned when the customer is not licensed to use the Secure LDAP service
  • Returned when the Bind request specifies a user that is not licensed to use Secure LDAP
  • Returned when the Bind request specifies a user that is disabled
  • Returned when a subsequent Bind request (rebind) specifies a user that doesn't belong to an organizational unit that's enabled for authentication in the Secure LDAP configuration
  • Returned when a SIMPLE Bind request specifies no credentials (unauthenticated)

UNWILLING_TO_PERFORM (53)

  • Returned when a SIMPLE Bind request specifies no credentials (unauthenticated)

​OTHER (80)

CANCELED  (118)

  • Returned when an Abandon request aborts an existing LDAP operation
     

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
9581063470188373347
true
Search Help Center
true
true
true
false
false