Is it a legal operation to change samAccountName on rename? Is there
something I need to set in AD before I can do it? I've tried this:

<modify-attr attr-name="sAMAccountName">
<remove-value>
<value type="string">old_name</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="sAMAccountName">
<add-value>
<value type="string">new_name</value>
</add-value>
</modify-attr>

and this:

<modify-attr attr-name="sAMAccountName">
<remove-all-values/>
<add-value>
<value>new_name</value>
</add-value>
</modify-attr>

and they both end up as not willing to perform:

<status
event-id="ksmeta1#20160512110957#1#2:ccbfde72-b5d3-42bc-08a0-72debfccd3b5_opData0"
level="error" type="driver-general">
<ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
<client-err ldap-rc="53"
ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To Perform</client-err>
<server-err>00002016: SvcErr: DSID-031A12D2, problem 5003
(WILL_NOT_PERFORM), data 0
</server-err>
<server-err-ex win32-rc="8214"/>
</ldap-err>
</status>

My idm user has the rights of domain admin to add or delete users but
does it require something more special to change samAccountName?

Thanks,
Pekka