To Move or Rename an Entry Using ldapmodify

This procedure uses the modify DN operation. Before starting this operation, ensure that you are familiar with the section Guidelines and Limitations for Using the Modify DN Operation.

For parts of this procedure, you can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help. Other parts of the procedure can only be done using the command line.

When modifying the DNs of entries that are a uniquemember of a group, you must have the referential integrity plug-in enabled. Referential integrity ensures that the group members get adjusted when the entry is moved. For information about how to enable and configure the referential integrity plug-in, see To Configure the Referential Integrity Plug-In.

1. If you are moving an entry from one parent to another, extend ACI rights on the parent entries.

   • On the current parent entry of the entry to be moved, ensure that the ACI allows the export operations by using the syntax allow (export ...)

   • On the future parent entry of the entry to be moved, ensure that the ACI allows the import operations. by using the syntax allow (import ...)

   For information about using ACIs, see Chapter 6, Directory Server Access Control.

2. Ensure that the modify DN operation is enabled globally, or at least for the suffix or suffixes that will be affected by the move operation.

   To ensure compatibility with previous releases of Directory Server, the modify DN operation is not enabled by default.

   If you have already enabled the modify DN operation previously, go to the next step.

   To enable the modify DN operation globally for a server, use this command:

   $ dsconf set-server-prop -h host -p port moddn-enabled:on

3. Run the ldapmodify command.

   This step uses the modify DN operation. Do one of the following:

   • Move the entry.

     For example, the following command moves the entry uid=bjensen from the subtree for contractors, ou=Contractors,dc=example,dc=com to the subtree for employees, ou=People,dc=example,dc=com:

     $ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=Contractors,dc=example,dc=com changetype: modrdn newrdn: uid=bjensen deleteoldrdn: 0 newsuperior: ou=People,dc=example,dc=com

   • Rename the entry.

     For example, the following command renames the entry uid=bbjensen to uid=bjensen:

     $ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bbjensen,ou=People,dc=example,dc=com changetype: modrdn newrdn: uid=bjensen deleteoldrdn: 1

   Pay attention to the following attributes when writing the LDIF statement:

   • dn - Specifies the entry to rename or move.

   • changetype: modrdn - Specifies that a modify DN operation is to be used.

   • newrdn - Gives the new naming attribute.

   • deleteoldrdn - Indicates whether the previous naming attribute should be removed from the entry (1 is yes, 0 is no).

     Note that you cannot remove a naming attribute from the entry if that attribute is obligatory in the entry definition.

   • newsuperior - Specifies the new superior attribute of the entry.

   For information about the ldapmodify command and its options, see the ldapmodify(1) man page.

4. If you encounter resource limit errors when moving or renaming subtrees that contain a large number of entries, increase the number of locks that can be used by the database.

   $ dsconf set-server-prop -h host -p port db-lock-count:value

   If you modify this property, you must restart the server for the change to take effect.