char *
ldap_err2string( int err )
{
char *m;
Debug( LDAP_DEBUG_TRACE, "ldap_err2string\n", 0, 0, 0 );
switch ( err ) {
# define C(code, message) case code: m = message; break
/* LDAPv3 (RFC 4511) codes */
C(LDAP_SUCCESS, N_("Success"));
C(LDAP_OPERATIONS_ERROR, N_("Operations error"));
C(LDAP_PROTOCOL_ERROR, N_("Protocol error"));
C(LDAP_TIMELIMIT_EXCEEDED, N_("Time limit exceeded"));
C(LDAP_SIZELIMIT_EXCEEDED, N_("Size limit exceeded"));
C(LDAP_COMPARE_FALSE, N_("Compare False"));
C(LDAP_COMPARE_TRUE, N_("Compare True"));
C(LDAP_STRONG_AUTH_NOT_SUPPORTED,N_("Authentication method not supported"));
C(LDAP_STRONG_AUTH_REQUIRED, N_("Strong(er) authentication required"));
C(LDAP_REFERRAL, N_("Referral"));
C(LDAP_ADMINLIMIT_EXCEEDED, N_("Administrative limit exceeded"));
C(LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
N_("Critical extension is unavailable"));
C(LDAP_CONFIDENTIALITY_REQUIRED,N_("Confidentiality required"));
C(LDAP_SASL_BIND_IN_PROGRESS, N_("SASL bind in progress"));
C(LDAP_NO_SUCH_ATTRIBUTE, N_("No such attribute"));
C(LDAP_UNDEFINED_TYPE, N_("Undefined attribute type"));
C(LDAP_INAPPROPRIATE_MATCHING, N_("Inappropriate matching"));
C(LDAP_CONSTRAINT_VIOLATION, N_("Constraint violation"));
C(LDAP_TYPE_OR_VALUE_EXISTS, N_("Type or value exists"));
C(LDAP_INVALID_SYNTAX, N_("Invalid syntax"));
C(LDAP_NO_SUCH_OBJECT, N_("No such object"));
C(LDAP_ALIAS_PROBLEM, N_("Alias problem"));
C(LDAP_INVALID_DN_SYNTAX, N_("Invalid DN syntax"));
C(LDAP_ALIAS_DEREF_PROBLEM, N_("Alias dereferencing problem"));
C(LDAP_INAPPROPRIATE_AUTH, N_("Inappropriate authentication"));
C(LDAP_INVALID_CREDENTIALS, N_("Invalid credentials"));
C(LDAP_INSUFFICIENT_ACCESS, N_("Insufficient access"));
C(LDAP_BUSY, N_("Server is busy"));
C(LDAP_UNAVAILABLE, N_("Server is unavailable"));
C(LDAP_UNWILLING_TO_PERFORM, N_("Server is unwilling to perform"));
C(LDAP_LOOP_DETECT, N_("Loop detected"));
C(LDAP_NAMING_VIOLATION, N_("Naming violation"));
C(LDAP_OBJECT_CLASS_VIOLATION, N_("Object class violation"));
C(LDAP_NOT_ALLOWED_ON_NONLEAF, N_("Operation not allowed on non-leaf"));
C(LDAP_NOT_ALLOWED_ON_RDN, N_("Operation not allowed on RDN"));
C(LDAP_ALREADY_EXISTS, N_("Already exists"));
C(LDAP_NO_OBJECT_CLASS_MODS, N_("Cannot modify object class"));
C(LDAP_AFFECTS_MULTIPLE_DSAS, N_("Operation affects multiple DSAs"));
/* Virtual List View draft */
C(LDAP_VLV_ERROR, N_("Virtual List View error"));
C(LDAP_OTHER, N_("Other (e.g., implementation specific) error"));
/* LDAPv2 (RFC 1777) codes */
C(LDAP_PARTIAL_RESULTS, N_("Partial results and referral received"));
C(LDAP_IS_LEAF, N_("Entry is a leaf"));
/* Connection-less LDAP (CLDAP - RFC 1798) code */
C(LDAP_RESULTS_TOO_LARGE, N_("Results too large"));
/* Cancel Operation (RFC 3909) codes */
C(LDAP_CANCELLED, N_("Cancelled"));
C(LDAP_NO_SUCH_OPERATION, N_("No Operation to Cancel"));
C(LDAP_TOO_LATE, N_("Too Late to Cancel"));
C(LDAP_CANNOT_CANCEL, N_("Cannot Cancel"));
/* Assert Control (RFC 4528 and old internet-draft) codes */
C(LDAP_ASSERTION_FAILED, N_("Assertion Failed"));
C(LDAP_X_ASSERTION_FAILED, N_("Assertion Failed (X)"));
/* Proxied Authorization Control (RFC 4370 and I-D) codes */
C(LDAP_PROXIED_AUTHORIZATION_DENIED, N_("Proxied Authorization Denied"));
C(LDAP_X_PROXY_AUTHZ_FAILURE, N_("Proxy Authorization Failure (X)"));
/* Content Sync Operation (RFC 4533 and I-D) codes */
C(LDAP_SYNC_REFRESH_REQUIRED, N_("Content Sync Refresh Required"));
C(LDAP_X_SYNC_REFRESH_REQUIRED, N_("Content Sync Refresh Required (X)"));
/* No-Op Control (draft-zeilenga-ldap-noop) code */
C(LDAP_X_NO_OPERATION, N_("No Operation (X)"));
/* Client Update Protocol (RFC 3928) codes */
C(LDAP_CUP_RESOURCES_EXHAUSTED, N_("LCUP Resources Exhausted"));
C(LDAP_CUP_SECURITY_VIOLATION, N_("LCUP Security Violation"));
C(LDAP_CUP_INVALID_DATA, N_("LCUP Invalid Data"));
C(LDAP_CUP_UNSUPPORTED_SCHEME, N_("LCUP Unsupported Scheme"));
C(LDAP_CUP_RELOAD_REQUIRED, N_("LCUP Reload Required"));
#ifdef LDAP_X_TXN
/* Codes related to LDAP Transactions (draft-zeilenga-ldap-txn) */
C(LDAP_X_TXN_SPECIFY_OKAY, N_("TXN specify okay"));
C(LDAP_X_TXN_ID_INVALID, N_("TXN ID is invalid"));
#endif
/* API codes - renumbered since draft-ietf-ldapext-ldap-c-api */
C(LDAP_SERVER_DOWN, N_("Can't contact LDAP server"));
C(LDAP_LOCAL_ERROR, N_("Local error"));
C(LDAP_ENCODING_ERROR, N_("Encoding error"));
C(LDAP_DECODING_ERROR, N_("Decoding error"));
C(LDAP_TIMEOUT, N_("Timed out"));
C(LDAP_AUTH_UNKNOWN, N_("Unknown authentication method"));
C(LDAP_FILTER_ERROR, N_("Bad search filter"));
C(LDAP_USER_CANCELLED, N_("User cancelled operation"));
C(LDAP_PARAM_ERROR, N_("Bad parameter to an ldap routine"));
C(LDAP_NO_MEMORY, N_("Out of memory"));
C(LDAP_CONNECT_ERROR, N_("Connect error"));
C(LDAP_NOT_SUPPORTED, N_("Not Supported"));
C(LDAP_CONTROL_NOT_FOUND, N_("Control not found"));
C(LDAP_NO_RESULTS_RETURNED, N_("No results returned"));
C(LDAP_MORE_RESULTS_TO_RETURN, N_("More results to return"));
C(LDAP_CLIENT_LOOP, N_("Client Loop"));
C(LDAP_REFERRAL_LIMIT_EXCEEDED, N_("Referral Limit Exceeded"));
# undef C
default:
m = (LDAP_API_ERROR(err) ? N_("Unknown API error")
: LDAP_E_ERROR(err) ? N_("Unknown (extension) error")
: LDAP_X_ERROR(err) ? N_("Unknown (private extension) error")
: N_("Unknown error"));
break;
}
return _(m);
}
int translate_ldap_error(int err, int op) {
switch (err) {
case LDAP_SUCCESS:
return 0;
case LDAP_OPERATIONS_ERROR:
/* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
* unable to respond with a more specific error and is also unable
* to properly respond to a request */
case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
/* LDAP server was unable to satisfy a request because one or more
* critical extensions were not available */
/* This might mean that the schema was not extended ... */
case LDAP_UNDEFINED_TYPE:
/* The attribute specified in the modify or add operation does not
* exist in the LDAP server's schema. */
return KRB5_KDB_INTERNAL_ERROR;
case LDAP_INAPPROPRIATE_MATCHING:
/* The matching rule specified in the search filter does not match a
* rule defined for the attribute's syntax */
return KRB5_KDB_UK_RERROR;
case LDAP_CONSTRAINT_VIOLATION:
/* The attribute value specified in a modify, add, or modify DN
* operation violates constraints placed on the attribute */
case LDAP_TYPE_OR_VALUE_EXISTS:
/* The attribute value specified in a modify or add operation
* already exists as a value for that attribute */
return KRB5_KDB_UK_SERROR;
case LDAP_INVALID_SYNTAX:
/* The attribute value specified in an add, compare, or modify
* operation is an unrecognized or invalid syntax for the attribute */
if (op == OP_ADD || op == OP_MOD)
return KRB5_KDB_UK_SERROR;
else /* OP_CMP */
return KRB5_KDB_UK_RERROR;
/* Ensure that the following don't occur in the DAL-LDAP code.
* Don't rely on the LDAP server to catch it */
case LDAP_SASL_BIND_IN_PROGRESS:
/* This is not an error. So, this function should not be called */
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
/* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
* function should not be invoked for them */
case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SIZELIMIT_EXCEEDED:
return KRB5_KDB_SERVER_INTERNAL_ERR;
case LDAP_INVALID_DN_SYNTAX:
/* The syntax of the DN is incorrect */
return EINVAL;
case LDAP_PROTOCOL_ERROR:
/* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
* invalid or malformed request from the client */
case LDAP_CONFIDENTIALITY_REQUIRED:
/* Bind problems ... */
case LDAP_AUTH_METHOD_NOT_SUPPORTED:
/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */
case LDAP_INAPPROPRIATE_AUTH:
case LDAP_INVALID_CREDENTIALS:
case LDAP_UNAVAILABLE:
case LDAP_SERVER_DOWN: /* Solaris Kerberos */
case LDAP_CONNECT_ERROR: /* Solaris Kerberos */
return KRB5_KDB_ACCESS_ERROR;
case LDAP_STRONG_AUTH_REQUIRED:
if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
return KRB5_KDB_ACCESS_ERROR;
else /* Client requested an operation such that requires strong authentication */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_REFERRAL:
return KRB5_KDB_NOENTRY;
case LDAP_ADMINLIMIT_EXCEEDED:
/* An LDAP server limit set by an administrative authority has been
* exceeded */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_UNWILLING_TO_PERFORM:
/* The LDAP server cannot process the request because of
* server-defined restrictions */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_NO_SUCH_ATTRIBUTE:
/* Indicates that the attribute specified in the modify or compare
* operation does not exist in the entry */
if (op == OP_MOD)
return KRB5_KDB_UK_SERROR;
else /* OP_CMP */
return KRB5_KDB_TRUNCATED_RECORD;
case LDAP_ALIAS_DEREF_PROBLEM:
/* Either the client does not have access rights to read the aliased
* object's name or dereferencing is not allowed */
#ifdef LDAP_PROXY_AUTHZ_FAILURE
case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
#endif
case LDAP_INSUFFICIENT_ACCESS:
/* Caller does not have sufficient rights to perform the requested
* operation */
return KRB5_KDB_UNAUTH;
case LDAP_LOOP_DETECT:
/* Client discovered an alias or referral loop */
return KRB5_KDB_DB_CORRUPT;
default:
if (LDAP_NAME_ERROR (err))
return KRB5_KDB_NOENTRY;
/*LINTED*/
if (LDAP_SECURITY_ERROR (err))
return KRB5_KDB_UNAUTH;
/*LINTED*/
if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
return KRB5_KDB_ACCESS_ERROR;
/*LINTED*/
if (LDAP_UPDATE_ERROR(err))
return KRB5_KDB_UK_SERROR;
/* LDAP_OTHER */
return KRB5_KDB_SERVER_INTERNAL_ERR;
}
}
