Renaming LDAP entries

There are a number of ways to rename LDAP entries. The simplest and most straightforward involves a modrdn operation. Secret recipe below.

Say you have around 40,000 user entries that you have to rename so that the rdn (relative distinguished name, the leading portion of the LDAP entry name — “dn: uid=samc”) is changed from the time-honored and civilized “uid=” to the backwards and barbaric “cn=”.

You could create an LDIF command file that would alternative delete the entries with the old rdn and then recreate them with the new.

But, assuming your target directory server supports it, there is a better way: modrdn.

The modrdn operation is a more efficient way of renaming LDAP entries where the only element changing is the rdn. Not all directory servers support modrdn, and even on those that do you need to be careful of the specific configuration being run.

The following example uses the OpenDJ version of ldapmodify against an OpenDJ 2.5.0 directory server.

ldapmodify -h localhost -p 1389 -D "cn=directory manager" 
-j $HOME/etc/pwd.txt 
-c -f modifies.ldif

Notice I’ve used the “-j” option with the command. Given the number of entries being modified in this example it is best to run it as a batch job. Using “-j” will allow you to use a batch process-friendly password file.

Here’s what that modifies.ldif command file might look like:

dn: uid=samc,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: cn=samc
deleteoldrdn: 0

dn: uid=johnb,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: cn=johnb
deleteoldrdn: 0

Notice a couple of things here:

First, the newrdn value can use whatever naming attribute you’d like, cn is only an example. Also, the rdn string does not have to be the same exact value as the original rdn, so you could have had “newrdn: samchampion” or “newrdn: johnbutera”.

Second, the deleteoldrdn directive tells the server whether or not you want to delete the original naming attribute and value from the entry. If the entry includes “objectclass: shadowAccount” the uid attribute is required, and so you must set “deleteoldrdn: 0”. In most cases you will not want to delete the old naming attribute and its original value (to tell the server to delete it, set “deleteoldrdn: 1”).

You can create the input file for this command in different ways. What I usually do is do an LDIF dump of the original entries using ldapsearch, back it up, and then run it through a script that captures the original dn and naming attribute to create a new LDIF with the needed directives. I’ll provide an example in a future post.