In CA IDM a user id is created in the format of <firstname>.<lastname>

We have a user who's last name has been changed and we need the User ID also to reflect the changed last name.

We cannot modify the USER ObjectType by changing the uid which is a part of the RDN.

Please suggest us on how to proceed with this.

You're right from IM User Console, you cannot modify the USER Object-type by changing the uid which is a part of the RDN as the whole DN deals with a unique name. 

Some mechanisms prevent you to do this from the web UI as the WRITEONCE permission in the directory definition and the READ ONLY permission in the role and task settings. 

Modifying the user object RDN will fail with: [LDAP: error code 67 - Not Allowed On RDN] This is not supported. 

---

You can do it manually to work around this issue using a ldapmodrdn command against your user object. 

See my following script sample: 

<< 

@ECHO OFF 

SET ETAHOME="C:\Program Files (x86)\CA\Identity Manager\Provisioning Server" 

:: Host name of CA LDAP server: 

SET HOST=<Your_Hostname>

:: Host name of CA LDAP server: 

SET PORT=<your_Portnumber> 

:: Provisioning Server administrator: 

SET USERDN="uid=<PS admin username>,ou=People,ou=Employee,ou=<ou>,dc=security,dc=com" 

:: Provisioning Server administrator password: 

SET PASSWD=<secret> 

%ETAHOME%\bin\ldapmodrdn -h %HOST% -p %PORT% -D %USERDN% -w %PASSWD% uid=<username>,ou=people,ou=<ou>,dc=security,dc=com uid=<username2>

>> 

Note: The usage is: ldapmodrdn [options] [dn rdn]

rdn will replace the RDN of the entry specified by DN.