Home

modifyDN

ModifyDN, short for Modify Distinguished Name, is an LDAP operation used to rename an entry or move it to a different part of the directory information tree by changing its distinguished name (DN). It is invoked when an entry’s identity or location changes, such as a person changing a surname or a resource being reassigned to another organizational unit.

The operation specifies the entry’s current DN, a newRelativeDN (newRDN), and, optionally, a newSuperior that designates

Behavior and constraints: The operation is intended to be atomic—either the entry is renamed and/or moved successfully,

Security and administration: Modifying a DN touches an entry’s identity and its position in the directory, so

the
entry’s
new
parent
within
the
directory.
It
may
also
include
a
deleteOldRDN
flag,
which
determines
whether
the
old
RDN
attribute
values
should
be
removed
from
the
entry.
For
example,
moving
and
renaming
a
person
from
cn=John
Smith,ou=People,dc=example,dc=com
to
cn=John
Doe,ou=People,dc=example,dc=com
with
deleteOldRDN
set
to
true
will
replace
the
RDN
and,
if
applicable,
delete
the
old
cn
attribute
values
from
the
entry.
or
it
fails
with
no
partial
changes.
If
the
target
DN
already
exists,
the
server
typically
returns
an
error
such
as
entryAlreadyExists.
The
move
can
include
all
of
an
entry’s
subentries,
so
the
entire
subtree
can
be
relocated
under
the
newSuperior.
The
server
may
enforce
structural
or
schema-related
constraints
and
must
ensure
that
the
client
has
sufficient
permissions
to
modify
the
DN
and,
if
required,
to
delete
old
RDN
attributes
and
to
write
under
the
new
location.
access
control
and
auditing
are
important
considerations.
Use
of
ModifyDN
is
common
in
directory
maintenance,
reorganization,
or
user
lifecycle
workflows.
See
also:
Rename,
Move,
LDAP,
RFC
4511.