Supported editions for this feature: Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. Compare your edition
The Secure LDAP service returns error codes when there's an issue in fulfilling the LDAP requests. These errors occur during the process of connecting an LDAP client and any subsequent LDAP queries after the connection. How and whether the LDAP clients expose error codes to end users depends on the specific LDAP client. The error codes described in this article are also displayed in audit logs.
PROTOCOL_ERROR (2)
- Returned when a request specifies an unsupported LDAP version. The Secure LDAP service supports LDAP version 3.
- Returned when a request specifies an unsupported action. Google supports Abandon, Bind, Extended (for StartTLS), Search, and Unbind. Unsupported actions are: Add, Compare, Del, Modify, and ModifyDn.
- Returned when an Extended request specifies an unsupported Oid. Google only supports the Extended action for StartTLS (Oid 1.3.6.1.4.1.1466.20037) over a previously unsecured connection.
AUTH_METHOD_NOT_SUPPORTED (7)
- Returned when a Bind request specifies an unsupported authentication method. Google supports SIMPLE, SASL PLAIN, and SASL EXTERNAL.
ADMIN_LIMIT_EXCEEDED (11)
- The Secure LDAP service has quotas for both bind and search requests. Exceeding either quota will trigger this error message.
- The bind quota is 4 queries per second (QPS) per customer, shared over all domains owned by the customer.
- If you see the ADMIN_LIMIT_EXCEEDED error, determine which operation (search or bind) is exceeding the quota, then try to reduce the frequency of that operation. For example, WiFi authentication using RADIUS can generate a large number of bind operations, exceeding the quota.
CONFIDENTIALITY_REQUIRED (13)
- Returned when an SASL Bind request is issued over an unsecured connection
- Returned when a Search request queries for anything other than server attributes and is issued over an unsecured connection
NO_SUCH_OBJECT (32)
- Returned when searching for something that doesn't exist (for example, an unknown user, group, or organizational unit)
- Returned when searching for a userid that isn't in the directory
INVALID_DN_SYNTAX (34)
- Returned when a Distinguished Name is malformed and not parseable by JNDI. See javax.naming.ldap.LdapName
- Returned when a Distinguished Name includes an attribute with a value that is not a String. Only String values are supported. See javax.naming.directory.Attribute
INAPPROPRIATE_AUTHENTICATION (48)
- Returned when a Bind request specifies a malformed, expired, or otherwise bad client certificate
- Returned when a SASL PLAIN Bind request specifies malformed credentials, or does not specify credentials
INSUFFICIENT_ACCESS_RIGHTS (50)
- Returned when the the Secure LDAP service is OFF for the LDAP client
- Returned when the customer is not licensed to use the Secure LDAP service
- Returned when the Bind request specifies a user that is not licensed to use Secure LDAP
- Returned when the Bind request specifies a user that is disabled
- Returned when a subsequent Bind request (rebind) specifies a user that doesn't belong to an organizational unit that's enabled for authentication in the Secure LDAP configuration
- Returned when a SIMPLE Bind request specifies no credentials (unauthenticated)
UNWILLING_TO_PERFORM (53)
- Returned when a SIMPLE Bind request specifies no credentials (unauthenticated)
OTHER (80)
- This error is returned because of an unexpected result due to a bug in the code. If you receive this error, contact Google Workspace Support or Cloud Identity Premium Support.
CANCELED (118)
- Returned when an Abandon request aborts an existing LDAP operation
