Change RDN from one attribute to another


This topic has 4 replies, 3 voices, and was last updated 5 years, 6 months ago by Ludo.

  • Author
  • #16524


    Right now we have around 15Million records in production and UID is our RDN. But we want to change the RDN from UID to some other GUID attribute. And both of these(UID and GUID) attributes exist and are already populated with the values. So we need to just flip the RDN attribute without affecting any data.

    Current: DN: UID=john,ou=people,dc=xyz,dc=com

    Need to change it to: DN: GUID=3kjkejfkd,ou=people,dc=xyz,dc=com

    Any good solutions will be appreciated.


     Brad Tumy

    Hey Anji,

    I don’t see a reference to it in the OpenDJ docs but here is a reference from the Sun days:
    Modifying Directory Entries (hint: scroll down to “change rdn”).

    You could quickly write a python (or bash) script (I have some examples if you need them) to knock this out. My only concern would be the amount of time it takes to update 15M records.

    Before you try this … check out bugster as I noticed that there are few old issues on this. They very well could all be closed but better safe than sorry.

    Brad Tumy

    • This reply was modified 5 years, 6 months ago by Brad Tumy.
    • This reply was modified 5 years, 6 months ago by Brad Tumy.
    • This reply was modified 5 years, 6 months ago by Brad Tumy.

    Thanks Brad. The link that you have given explains how to change the value of the RDN and doesn’t show how to change the RDN attribute itself. Can you confirm please?


     Brad Tumy


    Is this a follow on question to:

    RDN change for user creation

    It looks like you have the answer for how to change the value that OpenDJ is using on authentication as the RDN but OpenAM’s self-service module is populating the value that you are using for username into this attribute.

    Could you go into a little more detail about your use case? I don’t want to give you incorrect information.


    • This reply was modified 5 years, 6 months ago by Brad Tumy.

    LDAP allows to rename an entry with the moddn operation, with the following LDIF statement.
    You can choose to keep or delete the old RDN.

    ldapmodify ...
    dn: uid=john,ou=people,dc=xyz,dc=com
    changetype: moddn
    newrdn: guid=xxxxxxx
    deleteoldrdn: 0

    It will take a while to loop through all entries, but it’ll work.
    Alternately you could export all data to LDIF file, use a script to change all records, and then reimport everything.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?