LDAP: Moving and renaming entries and user data

Posted on August 1, 2011 by Terry Gardner

Use ldapmodify with the moddn changetype keyword to move or rename entries in an LDAP database. The moddn request cannot be used to move entries between namingContexts or between servers. This article provides an example of moving an entry uid=user.0,ou=people,dc=example,dc=com to the branch ou=people2,dc=example,dc=com.

Given the following entry:


ldapsearch --hostname localhost --port 1389 \
  --searchScope base \
  --baseDn uid=user.0,ou=people,dc=example,dc=com \
 '(objectClass=*)' 1.1
dn: uid=user.0,ou=people,dc=example,dc=com

And the following two branches:


ldapsearch --hostname localhost --port 1389 \
 --searchScope one --baseDn dc=example,dc=com  \
 '(objectClass=*)' 1.1

dn: ou=People,dc=example,dc=com

dn: ou=people2,dc=example,dc=com

Move the user.0 entry from the ou=People branch to the ou=people2 branch. Create the following LDIF:


dn: uid=user.0,ou=people,dc=example,dc=com
changetype: moddn
newrdn: uid=user.0
deleteoldrdn: 1
newsuperior: ou=people2,dc=example,dc=com

The newrdn and deleteoldrdn fields are required when the changetype is specified as moddn. The newsuperior field is optional, and if present must contain the name of an object (which must exist) that will become the new parent of the specified entry. If newsuperior is not present, then the object is renamed under the existing parent. The value used in the DN or the newsuperior cannot be aliases. If the entry named by newrdn under newsuperior already exists, the operation will fail and the code for entry already exists (decimal 68) is returned to the client.

Use ldapmodify to move the entry. Specify the post-read control for the uid attribute and use the older OpenLDAP version of ldapmodify:


/usr/bin/ldapmodify -h localhost -p 1389 \
  -D 'cn=directory manager' -W -c -a \
 -f ~/ldif/rename.LDIF -e postread=uid
Enter LDAP Password: 
modifying rdn of entry \
 "uid=user.0,ou=people,dc=example,dc=com"
control: 1.3.6.1.1.13.2 false ...
# ==> postread
dn: uid=user.0,ou=people2,dc=example,dc=com
uid: user.0
# <== postread


Using Java:


import com.unboundid.ldap.sdk.Control;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ModifyDNRequest;
import com.unboundid.ldap.sdk.controls.PostReadRequestControl;
import com.unboundid.ldap.sdk.controls.PreReadRequestControl;

class Example {
  public LDAPResult modifyDn(String hostname,int port,
                             String existingDn,String newDn,
                             boolean deleteOldRdn,String newSuperiorDn,
                             String[] preReadAttributes,
                             String[] postReadAttributes) {
    LDAPResult result;
    try {
      LDAPConnection ldapConnection = new LDAPConnection(hostname,port);
      Control[] controls = new Control[] {
        new PreReadRequestControl(preReadAttributes),
        new PostReadRequestControl(postReadAttributes)
      };
      ModifyDNRequest r = new ModifyDNRequest(existingDn,
                                              newDn,deleteOldRdn,
                                              newSuperiorDn,controls);

      result = ldapConnection.modifyDN(r);
      ldapConnection.close();
    } catch(LDAPException lex) {
      System.err.println(lex.getLocalizedMessage());
      result = null;
    }
    return result;
  }
}

See Also:

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, Java, LDAP and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a comment