Date: 11-04-2022

How to Properly Use ldapmodrdn in OpenLDAP

The ldapmodrdn tool is used to rename an LDAP entry’s RDN (Relative Distinguished Name) — for example, changing uid=jdoe to uid=john.doe — or to move an entry to a different parent container (like from ou=People to ou=Staff).

This operation is atomic: the entry’s DN changes, but its unique attributes (UID, CN, etc.) remain unchanged unless you specify otherwise.

What ldapmodrdn Does

The LDAP protocol defines a ModifyDN operation (RFC 4511, Section 4.9). ldapmodrdn is the client-side command that issues this operation to an OpenLDAP server.

You can:

Rename the RDN (e.g., change uid=jdoe → uid=john.doe)

Move the entry under a new parent DN (e.g., move from ou=People → ou=Staff)

Control whether the old RDN attribute is retained or deleted

Basic Syntax

ldapmodrdn [options] oldDN newRDN [newSuperior] 

Common options

Example Commands

1. Rename an entry within the same OU

ldapmodrdn -x -H ldap://localhost \
 -D "cn=admin,dc=example,dc=com" -W \
 "uid=jdoe,ou=People,dc=example,dc=com" \
 "uid=john.doe"

This renames uid=jdoe → uid=john.doe within the same container (ou=People).

By default, the old RDN value (uid=jdoe) remains in the entry as an additional attribute value unless you use -r.

2. Rename and remove old RDN

ldapmodrdn -x -H ldap://localhost \
 -D "cn=admin,dc=example,dc=com" -W -r \
 "uid=jdoe,ou=People,dc=example,dc=com" \
 "uid=john.doe"

The -r flag deletes the old RDN attribute from the entry — this is the most common and recommended option to avoid redundant attribute values.

3. Move an entry to a new OU

ldapmodrdn -x -H ldap://localhost \
 -D "cn=admin,dc=example,dc=com" -W \
 "uid=john.doe,ou=People,dc=example,dc=com" \
 "uid=john.doe" \
 "ou=Staff,dc=example,dc=com"

This moves the entry to ou=Staff

The resulting DN becomes this:

uid=john.doe,ou=Staff,dc=example,dc=com

Troubleshooting

ldapmodrdn Man Page