Skip to main content

Modify LDAP EntryUUID attribute

· One min read
Stephan Hochdörfer

After migrating our old LDAP Server to a new instance, we realized that the EntryUUID attribute had changed. One of our internal applications relies on that attribute so we had to modify it to not break things.

First, we created a ldif file update.ldif containing all entries that need to be changed. The content of the file looks like this:

dn: cn=Jon Doe,ou=people,dc=mycompany,dc=com
changetype: modify
replace: entryUUID
entryUUID: f9db7632-ab33-103b-8bc7-1f4363035b71

To apply the update, we ran the following command:

ldapmodify -h ldap.loc -p 389 -D cn=admin,dc=mycompany,dc=com -w somepwd -f update.ldif -Z

The LDAP server responded with:

modifying entry "cn=Jon Doe,ou=people,dc=mycompany,dc=com"
ldap_modify: Constraint violation (19)
additional info: entryUUID: no user modification allowed

Apparently, metadata like the EntryUUID can't be changed by default. However, OpenLDAP offers a relax mode which allows you to make such a change. Pass the -e relax parameter and the update will be applied:

ldapmodify -h ldap.loc -p 389 -D cn=admin,dc=mycompany,dc=com -w somepwd -f update.ldif -Z -e relax