When you use the modify DN operation, as described in the previous section, use the guidelines described in the following sections.
Do not use the modify DN operation to move an entry from one suffix to another suffix, or to rename or move the root suffix.
Ensure that you are running Directory Server 5.2 2005Q1 or later. The modify DN operation cannot be used on versions of Directory Server prior to Directory Server 5.2 2005Q1.
Do not use the entryid operational attribute in your application because it is reserved for internal use only. The entryid attribute of an entry can change when an entry is moved.
Enable the modify DN operation globally for all suffixes on a server, or individually on each suffix where you wish to run the operation. By default the modify DN operation is disabled.
Extend the ACI rights on each suffix where you wish to run the modify DN operation. The Import access right allows an entry to be imported to the specified DN. The Export access right allows an entry to be exported from the specified DN.
Before performing a modify DN operation, ensure that the operation would not break client authentication. If you move an entry that refers to a client certificate, client authentication will break. After moving an entry, validate your certificates.
Before performing a modify DN operation, ensure that the operation would not break your application. The rename or move of an entry can affect several suffixes, or can change the following characteristics of the entry:
The scope of a filtered role of an entry.
The nested role of an entry, where the nested role contains a filtered role.
The dynamic group membership of an entry.
Using the modify DN operation without complying with the following requirements can break replication and bring down your directory service.
Ensure that all servers in your replication topology are running at least Directory Server 5.2. You cannot use the modify DN operation on versions of Directory Server prior to Directory Server 5.2.
Enable the modify DN operation on all servers in your replication topology. If the modify DN operation is supported on the master server but not on the consumer server, replication will fail. A message similar to the following will be written to the error log on the supplier server:
Unable to start a replication session with MODDN enabled
To restart replication, reconfigure the replication topology to enable the modify DN operation on all servers. and then start a replication session in one of the following ways:
By following the instructions in To Force Replication Updates.
By changing an entry on the supplier server. The change is replicated to the consumer servers.
Enable and configure the referential integrity plug-in on all master replicas in the topology. This action ensures that the server maintains referential integrity for groups and roles. For information about how to enable and configure the referential integrity plug-in, see To Configure the Referential Integrity Plug-In.
After performing a modify DN operation, allow time for the referential integrity plug-in to replicate its changes.