[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands
HonzaCholasta
freeipa-github-notification at redhat.com
Mon Mar 6 07:09:49 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands
HonzaCholasta commented:
"""
@abbra, the issue is not that the attribute is not requested (it is in fast always requested in user commands), it is that when the attribute is not set on a user entry (that's right, the attribute is *not* operational in 389 DS), the entry will not be returned in `ipa user-find --disabled=0`, which might be surprising to the user.
@redhatrises, the framework fix would be to update `LDAPSearch.get_attr_filter()` to handle the "search for the default value" case, off the top of my head it should be something like this:
```python
def get_attr_filter(self, ldap, **options):
"""
Returns a MATCH_ALL filter containing all required attributes from the
options
"""
search_kw = self.args_options_2_entry(**options)
search_kw['objectclass'] = self.obj.object_class
default_kw = self.get_default(**options)
filters = []
for name, value in search_kw.items():
flt = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
if name in default_kw and value == default_kw[name]:
# default value search, check also for non-present attribute
flt = ldap.combine_filters([flt, '(!({}=*))'.format(name)])
filters.append(flt)
return ldap.combine_filters(filters, ldap.MATCH_ALL)
```
"""
See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-284318835
More information about the Freeipa-devel
mailing list