Operation Error Summary:
Note: The following errors, explanations and examples are taken from the
X.511 standards. Not all the errors are possible with CA Directory and many of the examples are not applicable. Over time this will be modified to indicate the supported messages and relevant examples. Also, wherever you see DIT below, it is in reference to
Directory
Information
Tree.
The operation error summary contains the error category possibly followed by an error problem number.
The possible error categories that may be returned are:
- Abandoned
- Abandon Failed
- Attribute Error
- Name Error
- Referral
- Security Error
- Service Error
- Update Error
Abandoned:This outcome may be reported for any outstanding directory enquiry operation (i.e. Read, Search, Compare, List) if the DUA invokes an Abandon operation with the appropriate InvokeId.
Abandon Failed:The abandon failed error reports a problem encountered during an attempt to abandon an operation.
Any of the following problems may be indicated:
(1) No Such Operation | When the Directory has no knowledge of the operation which is to be abandoned (this could be because no such invoke took place, or because the Directory has forgotten about it) |
(2) Too Late | When the Directory has already responded to the operation |
(3) Cannot Abandon | When an attempt has been made to abandon an operation for which this is prohibited (e.g. modify), or the abandon could not be performed |
Attribute Error:An attribute error reports an attribute-related problem.
One or more problems may be specified. Each problem (identified below) is accompanied by an indication of the attribute type, and, if necessary to avoid ambiguity, the value, which caused the problem:
(1) No Such Attribute Or Value | The named entry lacks one of the attributes or attribute values specified as an argument of the operation |
(2) Invalid Attribute Syntax | A purported attribute value, specified as an argument of the operation, does not conform to the attribute syntax of the attribute type |
(3) Undefined Attribute Type | An undefined attribute type was provided as an argument to the operation. This error may occur only in relation to addEntry or modifyEntry operations |
(4) Inappropriate Matching | An attempt was made, e.g. in a filter, to use a matching rule not defined for the attribute type concerned |
(5) Constraint Violation | An attribute value supplied in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2 or by the attribute definition (e.g. the value exceeds the maximum size allowed) |
(6) Attribute Or Value Already Exists | An attempt was made to add an attribute which already existed in the entry, or a value which already existed in the attribute |
(7) Context Violation | A context list or context supplied with an attribute value in the argument of an operation does not conform to the constraints imposed by ITU-T Rec. X.501 ISO/IEC 9594-2, by the context definition (e.g. the context value is not of the correct syntax), or the DIT Context Use |
Name Error:A name error reports a problem related to the name provided as an argument to an operation.
The particular problem encountered. Any of the following problems may be indicated:
(1) No Such Object | The name supplied does not match the name of any object |
(2) Alias Problem | An alias has been dereferenced which names no object |
(3) Invalid Attribute Syntax | An attribute type and its accompanying attribute value in an AVA in the name are incompatible |
(4) Alias Dereferencing Problem | An alias was encountered in a situation where it was not allowed or where access was denied |
(5) Context Problem | A context type or value used in a name is not understood or is invalid, the use of a context variant name is not acceptable, or during name resolution a purported name matches the names of more than one DIT entry |
Referral:A referral redirects the service-user to one or more access points better equipped to carry out the requested operation.
Security Error:A security error reports a problem in carrying out an operation for security reasons.
The following problems may be indicated:
(1) Inappropriate Authentication | The level of security associated with the requestor's credentials is inconsistent with the level of protection requested, e.g. simple credentials were supplied while strong credentials were required |
(2) Invalid Credentials | The supplied credentials were invalid |
(3) Insufficient Access Rights | The requestor does not have the right to carry out the requested operation |
(4) Invalid Signature | The signature of the request was found to be invalid |
(5) Protection Required | The Directory was unwilling to carry out the requested operation because the argument was not signed |
(6) No Information | The requested operation produced a security error for which no information is available |
(7) Blocked Credentials | The credentials are blocked from consideration for security reasons (e.g. because an invalid password has been presented too many times in succession). The decision to return this error is governed by the security policy in effect for the DSA |
(8) Invalid QOP Match | The two entities have differing protection parameters defined for the respective security services |
(9) Spkm Error | The supplied SPKM token was found to be invalid. The spkmInfo parameter contains an indication that this is an SPKM error token and the identifier of the SPKM context with which this error is associated |
Service Error:A serviceError reports a problem related to the provision of the service.
The following problems may be indicated:
(1) Busy | The Directory, or some part of it, is presently too busy to perform the requested operation, but may be able to do so after a short while |
(2) Unavailable | The Directory, or some part of it, is currently unavailable |
(3) Unwilling To Perform | The Directory, or some part of it, is not prepared to execute this request, e.g. because it would lead to excessive consumption of resources or violates the policy of an Administrative Authority involved |
(4) Chaining Required | The Directory is unable to accomplish the request other than by chaining; however, chaining was prohibited by means of the chainingProhibited service control option |
(5) Unable To Proceed | The DSA returning this error did not have administrative authority for the appropriate naming context and as a consequence was not able to participate in name resolution |
(6) Invalid Reference | The DSA was unable to perform the request as directed by the DUA, (via OperationProgress) This may have arisen due to using an invalid referral |
(7) Time Limit Exceeded | The Directory has reached the limit of time set by the user in a service control. No partial results are available to return to the user |
(8) Administrative Limit Exceeded | The Directory has reached some limit set by an administrative authority, and no partial results are available to return to the user |
(9) Loop Detected | The Directory is unable to accomplish this request due to an internal loop |
(10) Unavailable Critical Extension | The Directory was unable to satisfy the request because one or more critical extensions were not available |
(11) Out Of Scope | No referrals were available within the requested scope |
(12) Dit Error | The Directory is unable to accomplish the request due to a DIT consistency problem |
(13) Invalid Query Reference | The parameters of the requested operation are invalid. This problem is reported if the queryReference in paged results is invalid |
(14) Requested Service Not Available | A search request failed within a service specific administrative area because no search-rule was available for the search or because the search violated an applicable search-rule |
(15) Unsupported Matching Use | An attempt was made, e.g. in a filter, to use a matching rule not supported by the DSA when the performExactly search option is set |
(16) Ambiguous Key Attributes | A mapping-based matching rule was selected, but the mappable filter items provided multiple matches against the relevant mapping table. This error situation is accompanied by a notification attribute as indicated by the relevant matching-based matching rule |
.
Update Error:An updateError reports problems related to attempts to add, delete, or modify information in the DIT.
The following problems may be indicated:
(1) Naming Violation | The attempted addition or modification would violate the structure rules of the DIT as defined in the Directory schema and ITU-T Rec. X.501 ISO/IEC 9594-2. That is, it would place an entry as the subordinate of an alias entry, or in a region of the DIT not permitted to a member of its object class, or would define an RDN for an entry to include a forbidden attribute type |
(2) Object Class Violation | The attempted update would produce an entry inconsistent with the rules for entry content; for example, its object class definition, the DIT content rules, or with the definitions of ITU-T Rec. X.501 ISO/IEC 9594-2 as they pertain to object classes |
(3) Not Allowed On Non Leaf | The attempted operation is only allowed on leaf entries of the DIT |
(4) Not Allowed On RDN | The attempted operation would affect the RDN (e.g. removal of an attribute which is a part of the RDN) |
(5) Entry Already Exists | An attempted addEntry or modifyDN operation names an entry which already exists |
(6) Affects Multiple DSAs | An attempted update would need to operate on multiple DSAs where this operation is not permitted |
(7) Object Class Modification Prohibited | An operation attempted to modify the structural object class of an entry |
(8) No Such Superior | An attempted modifyDN operation names a new superior entry that does not exist |
(9) Not Ancestor | An operation attempted to delete a compound entry without specifying the ancestor as the object |
(10) Parent Not Ancestor | An operation attempted to establish an entry as an immediately hierarchical child under a family member that is not the ancestor |
(11) Hierarchy Rule Violation | An operation attempted to break a rule applicable to a hierarchical group: a hierarchical group has to be completely outside any service specific administrative area or has to be completely contained within a service specific administrative area; hierarchical group is confined to a single DSA |
(12) Family Rule Violation | An operation attempted to break a rule applicable to families within a compound entry |