I revised the patch based upon the comments from Andrey (Thank you!!).
Comment from andrey.ivanov(a)polytechnique.fr:
The patch you provided does take into
account the modRDN with new superior but it does not seem to take care
of subtree renames (smth like rename "ou=users" to "ou=utilisateurs"
with child entries). For subtree renames all the entries in the
renamed subtree change their DNs so for each of these renamed
entries we have to make the search
LDAP_SCOPE_SUBTREE, filter, attrs..." with a different filter.
So for each modrdn we should verify if the renamed entry has any child
entries and if it is the case then treat them either directly or
The referential integrity plugin has not supported
the subtree rename (modrdn with newsuperior). This patch is adding
There are 2 typical cases.
DN that modrdn modifies matches the value of attributes which is the
target of the referential integrity.
modrdn: uid=A,ou=B,o=C --> uid=AA,ou=BB,o=C
member: uid=A,ou=B,ou=C --> uid=AA,ou=BB,ou=C
seeAlso: uid=A,ou=B,ou=C --> uid=AA,ou=BB,ou=C
DN that modrdn modifies is the ancestor of the value of attributes
which is the target of the referential integrity.
modrdn: ou=B,o=C --> ou=BB,o=C
member: uid=A,ou=B,ou=C --> uid=A,ou=BB,ou=C
seeAlso: uid=A,ou=B,ou=C --> uid=A,ou=BB,ou=C
git patch for ldap/servers/plugins/referint/referint.c