You specify the source server, the target server, and one or more base distinguished names (DNs) identifying the subtrees you want to move. You can move small subtrees using the transactional method or move large subtrees, which does not use this method.

Instead, the large subtree is not fully accessible during the move, so clients might get an insufficient access rights error if they try to access the subtree. As entries are moved, clients can read but not write to them. When the transfer is complete, the entries are fully available to client requests.

This tool accepts a file containing a list of the base DNs of the subtrees you want to move.


The move-subtree tool requires users to have access to the extended operations and controls needed to run the tool. Make sure to apply the following ACIs to your data.

aci: (targetcontrol=" || ||")
     (version 3.0; acl "Allow admin to submit move-subtree controls"; 
      allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
aci: (extop="")
     (version 3.0; acl "Allow admin to request move-subtree extended 
      operation"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)