Ok, let me rephrase this, I have read many books, like O'reilly s LDAP system administratoro, or docs like Or http://tools.ietf.org/html/rfc4511#section-4.9, that explains this exactly
The Modify DN operation allows a client to change the Relative Distinguished Name (RDN) of an entry in the Directory and/or to move a subtree of entries to a new location in the Directory. The Modify DN Request is defined as follows:
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { entry LDAPDN, newrdn RelativeLDAPDN, deleteoldrdn BOOLEAN, newSuperior [0] LDAPDN OPTIONAL }
Fields of the Modify DN Request are:
- entry: the name of the entry to be changed. This entry may or may not have subordinate entries.
- newrdn: the new RDN of the entry. The value of the old RDN is supplied when moving the entry to a new superior without changing its RDN. Attribute values of the new RDN not matching any attribute value of the entry are added to the entry, and an appropriate error is returned if this fails.
I read the paragraph above, and it seems pretty straight forward, I believe I understand how it works, but when I try to apply this to what I need I dont know what to do. I can change the UID, or other fields from the users or groups, but i can change the dn.
For me Openldap has being really hard to understand, it is really technical, usually i am really good at this stuff. I am pretty sure I have huge gaps of knowledge that requires more reading, and a better understanding of the standards. But that is why I usually ask here when I am stuck.
This is usually the last place I resort when I dont have answers.
Thanks,
Juan Diego
----- Original Message ----- From: masarati@aero.polimi.it To: "Juan Diego Calle" juandiego.calle@soportelibre.com Cc: openldap-technical@openldap.org Sent: Monday, September 12, 2011 4:08:57 PM GMT -05:00 Colombia Subject: Re: Change a user dn
You didn't try all combinations of parameters, you need to be exhaustive when doing trial and error, otherwise there is no guarantee you get to the right combination in a finite amount of time. Or, you can read RFC4511 and find out how to do things right the first time.
p.
Hi thanks for the helo I have being tryinn a few things with ldapmodify,
I need to modify the user from dn: uid=user1,ou=People,dc=mydomain,dc=com, to dn: uid=user1,ou=Group1,ou=People,dc=mydomain,dc=com,
I have try some of the following attempts
dn: uid=user1,ou=People,dc=mydomain,dc=com changetype: modify replace: dn dn: uid=user1,ou=Group1,ou=People,dc=mydomain,dc=com
that according to what i have read it doesnt have work, because dn is not exactly like an attribute
dn: uid=user1,ou=People,dc=mydomain,dc=com changeType: modrdn newRDN: uid=user1,ou=Group1,ou=People,dc=mydomain,dc=com deleteOldRDN: 1
and this ones gives me
modifying rdn of entry "uid=user1,ou=People,dc=mydomain,dc=com" rename completed ldapmodify: Invalid DN syntax (34) additional info: invalid new RDN
I dont know how to add an ou to the dn.
Thanks
----- Original Message ----- From: "Andrey A. Konovalov" mudraia@list.ru To: openldap-technical@openldap.org Sent: Friday, September 9, 2011 12:43:01 PM GMT -05:00 Colombia Subject: Re: Change a user dn
Hi
I have Openldap with samba, and some users. My users are part of ou=People,dc=mydomain,dc=com, like this, dn: uid=user1,ou=People,dc=mydomain,dc=com,
So i wanted some of my users to be able to administer a group of users and be able to create users, so a friend of mine recommended me to do the following, create a group like this
dn: cn=Admin Group1,cn=Admins,ou=People,dc=mydomain,dc=com, objectClass: groupOfNames objectClass: top cn: Admin Group1 member: uid=adming1,ou=People,dc=mydomain,dc=com,
and
dn: ou=Group1,ou=People,dc=mydomain,dc=com objectClass: organizationalUnit objectClass: top ou: U.A.A. Group1
the users of this "group" whould have to be
dn: uid=user1,ou=Group1,ou=People,dc=mydomain,dc=com,
And with and acl I give Admin Group1 users complete control over that ou.
So this seems to work. But I already have users that use my ldap, is it possible to change their dn, I am not clear on how to do this.
Thanks,
Juan Diego
Maybe, (do it with ldapmodify, fex.) dn: uid=user1,dc=tratata,dc=com changeType: modrdn newRDN: user2 deleteOldRDN: 1
???
Andrey A. Konovalov mudraia@list.ru
On Mon, 12 Sep 2011, Juan Diego Calle wrote:
Ok, let me rephrase this, I have read many books, like O'reilly s LDAP system administratoro, or docs like Or http://tools.ietf.org/html/rfc4511#section-4.9, that explains this exactly
The Modify DN operation allows a client to change the Relative Distinguished Name (RDN) of an entry in the Directory and/or to move a subtree of entries to a new location in the Directory. The Modify DN Request is defined as follows:
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE { entry LDAPDN, newrdn RelativeLDAPDN, deleteoldrdn BOOLEAN, newSuperior [0] LDAPDN OPTIONAL }Fields of the Modify DN Request are:
entry: the name of the entry to be changed. This entry may or may not have subordinate entries.
newrdn: the new RDN of the entry. The value of the old RDN is supplied when moving the entry to a new superior without changing its RDN. Attribute values of the new RDN not matching any attribute value of the entry are added to the entry, and an appropriate error is returned if this fails.
At that point in the RFC is a page break, followed by a description of the *other* two fields in the request:
- deleteoldrdn: a boolean field that controls whether the old RDN attribute values are to be retained as attributes of the entry or deleted from the entry.
- newSuperior: if present, this is the name of an existing object entry that becomes the immediate superior (parent) of the existing entry.
I read the paragraph above, and it seems pretty straight forward, I believe I understand how it works, but when I try to apply this to what I need I dont know what to do. I can change the UID, or other fields from the users or groups, but i can change the dn.
...
dn: uid=user1,ou=People,dc=mydomain,dc=com changeType: modrdn newRDN: uid=user1,ou=Group1,ou=People,dc=mydomain,dc=com deleteOldRDN: 1
The newRDN field takes a *relative* DN, not a full DN, so that has to be newRDN: uid=user1
Now, do you want "uid: user1" to continue to be present in the entry? Yes, so deleteOldRDN should be 0 instead of 1. So at that point you have this:
dn: uid=user1,ou=People,dc=mydomain,dc=com changeType: modrdn newRDN: uid=user1 deleteOldRDN: 0
Where's the specification of the rest of the new DN? Ah, that's the newSuperior field:
newSuperior: ou=Group1,ou=People,dc=mydomain,dc=com
Putting it together: dn: uid=user1,ou=People,dc=mydomain,dc=com changeType: modrdn newRDN: uid=user1 deleteOldRDN: 0 newSuperior: ou=Group1,ou=People,dc=mydomain,dc=com
Oh, and also on that next page of the RFC you'll find this paragraph:
The object named in newSuperior MUST exist. For example, if the client attempted to add <CN=JS,DC=Example,DC=NET>, the <DC=Example,DC=NET> entry did not exist, and the <DC=NET> entry did exist, then the server would return the noSuchObject result code with the matchedDN field containing <DC=NET>.
So, does "ou=Group1,ou=People,dc=mydomain,dc=com" exist before you do this?
Alternatively, a simpler way to tackle this problem might be to use the ldapmodrdn binary and its -s option.
Philip Guenther
openldap-technical@openldap.org
-
Juan Diego Calle -
Philip Guenther