kadm5_rename_principal gets the source principal entry, fixes up the salts in the key data, sets the new principal name, puts the modified principal entry, and then deletes the source principal entry. This works with BDB, but fails badly with LDAP for two reasons: 1. We don't set mask attributes to indicate that this is a new principal. 2. When the LDAP back end loads the source principal entry, it inserts a tl-data value of type KDB_TL_USERDN containing the DN. When we put the principal entry, this tl-data value is extracted and used as the DN to use. We don't want that to happen; we want the KDB module to construct a new DN based on the new principal name. The upshot is that we make a few modifications to the source principal DN, then delete it.