Does ldapmodify propagate changes of dn/uid to associated groups of the user?

I have to modify a user's UID and DN in an OpenLDAP server because of marriage. Now, I follow this example from Oracle's website: https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html (under the headline "To change an RDN").

However, the user is right now associated with several LDAP groups via her UID or DN. Will ldapmodify actually change the UID/DN in these associated groups as well or will that have to be done manually by the administrator after the renaming of the user itself?

Thanks for any help!

I have to modify a user's UID and DN in an OpenLDAP server because of marriage

Maybe it's too late already, but you typically try to decide beforehand on a account naming convention where people getting married, divorced, re-married only requires adjusting their "Display Name" and/or other name related attributes (and possibly setting up an additional and new default e-mail alias) rather than each change in marital status and preferred salutation requiring new logon names, moving mailboxes and home directories and updating group and mailing list memberships.

( Our joiners for example get assigned an random unique and un-used 6 digit employee number and their account/login/samAccount Name will be usr123456 based that employee number which will be with them forever. That is also used for their DN and entries look like:

dn: uid=usr123456,ou=People,dc=example,dc=com
cn: Marcia Garza
sn: Garza
givenName: Marcia

)

Will ldapmodify actually change the UID/DN in these associated groups

That depends ...

• The ldapmodify command itself doesn't do any sanity checks and will only scope the DN and attributes that you specify. If sanity checks need to happen they will have to be done in the backend by the OpenLDAP server or by you as the sysadmin.

• When your directory is configured with the "referential integrity" overlay then YES:

  Whenever a modrdn or delete is performed, that is, when an entry's DN is renamed or an entry is removed, the server will search the directory for references to this DN (in selected attributes: see below) and update them accordingly. If it was a delete operation, the reference is deleted. If it was a modrdn operation, then the reference is updated with the new DN.

• When you don't have that overlay enabled, things might still remain sane automatically when you're using OpenLdap's dynamic lists overlay for all your groups.

  Then list of member DN's that belong to a group are not hard-coded but generated automatically based on the MemberOf attribute set on the members DN. When that members DN is renamed, the new DN will automatically show up as the member: in the group and the old DN will have disappeared.

Otherwise: no, after changing the DN your groups will contain a member DN that no longer exists and your renamed user will lose access and privileges. You will need to manually update everywhere where the old DN was used.

Note that when renaming a DN the LDAP function takes a deleteoldrdn parameter which is used as a boolean value to indicate whether the old RDN values should be deleted from the entry or not. When set to false the entry can still be found by the old DN and you won't end up with broken references.