3.1.1.3.1.9 Error Message Strings

When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error.

The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer.  It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients.  Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code.  Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field.

When the server returns a referral and not an error, the errorMessage field is used as described in section 3.1.1.3.1.1.4.