/**
   * Perform all needed RDN checks for the modifyDN operation. The old RDN is not equal to the new
   * RDN. The access checks are: - Verify WRITE access to the original entry. - Verfiy WRITE_ADD
   * access on each RDN component of the new RDN. The WRITE_ADD access is used because this access
   * could be restricted by the targattrfilters keyword. - If the deleteOLDRDN flag is set, verify
   * WRITE_DELETE access on the old RDN. The WRITE_DELETE access is used because this access could
   * be restricted by the targattrfilters keyword.
   *
   * @param operation The ModifyDN operation class containing information to check access on.
   * @param oldRDN The old RDN component.
   * @param newRDN The new RDN component.
   * @return True if access is allowed.
   */
  private boolean aciCheckRDNs(LocalBackendModifyDNOperation operation, RDN oldRDN, RDN newRDN) {
    boolean ret;

    AciLDAPOperationContainer operationContainer =
        new AciLDAPOperationContainer(operation, (ACI_WRITE), operation.getOriginalEntry());
    ret = accessAllowed(operationContainer);
    if (ret) {
      ret = checkRDN(ACI_WRITE_ADD, newRDN, operationContainer);
    }
    if (ret && operation.deleteOldRDN()) {
      ret = checkRDN(ACI_WRITE_DELETE, oldRDN, operationContainer);
    }
    return ret;
  }
  /**
   * Checks access on a modifyDN operation.
   *
   * @param operation The modifyDN operation to check access on.
   * @return True if access is allowed.
   */
  @Override
  public boolean isAllowed(LocalBackendModifyDNOperation operation) {
    boolean ret = true;
    DN newSuperiorDN;
    RDN oldRDN = operation.getOriginalEntry().getDN().getRDN();
    RDN newRDN = operation.getNewRDN();
    if (!skipAccessCheck(operation)) {
      // If this is a modifyDN move to a new superior, then check if the
      // superior DN has import accesss.
      if ((newSuperiorDN = operation.getNewSuperior()) != null) {
        try {
          ret = aciCheckSuperiorEntry(newSuperiorDN, operation);
        } catch (DirectoryException ex) {
          ret = false;
        }
      }
      // Perform the RDN access checks.
      if (ret) {
        ret = aciCheckRDNs(operation, oldRDN, newRDN);
      }

      // If this is a modifyDN move to a new superior, then check if the
      // original entry DN has export access.
      if (ret && (newSuperiorDN != null)) {
        AciLDAPOperationContainer operationContainer =
            new AciLDAPOperationContainer(operation, (ACI_EXPORT), operation.getOriginalEntry());
        // The RDNs are not equal, skip the proxy check since it was
        // already performed in the aciCheckRDNs call above.
        boolean rdnEquals = oldRDN.equals(newRDN);
        if (!rdnEquals) {
          operationContainer.setSeenEntry(true);
        }
        ret = accessAllowed(operationContainer);
      }
    }
    return ret;
  }