URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands
HonzaCholasta commented: """ @abbra, the issue is not that the attribute is not requested (it is in fast always requested in user commands), it is that when the attribute is not set on a user entry (that's right, the attribute is *not* operational in 389 DS), the entry will not be returned in `ipa user-find --disabled=0`, which might be surprising to the user. @redhatrises, the framework fix would be to update `LDAPSearch.get_attr_filter()` to handle the "search for the default value" case, off the top of my head it should be something like this: ```python def get_attr_filter(self, ldap, **options): """ Returns a MATCH_ALL filter containing all required attributes from the options """ search_kw = self.args_options_2_entry(**options) search_kw['objectclass'] = self.obj.object_class default_kw = self.get_default(**options) filters = [] for name, value in search_kw.items(): flt = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL) if name in default_kw and value == default_kw[name]: # default value search, check also for non-present attribute flt = ldap.combine_filters([flt, '(!({}=*))'.format(name)]) filters.append(flt) return ldap.combine_filters(filters, ldap.MATCH_ALL) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/444#issuecomment-284318835
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code