URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands
HonzaCholasta commented:
"""
@abbra, the issue is not that the attribute is not requested (it is in fast
always requested in user commands), it is that when the attribute is not set on
a user entry (that's right, the attribute is *not* operational in 389 DS), the
entry will not be returned in `ipa user-find --disabled=0`, which might be
surprising to the user.
@redhatrises, the framework fix would be to update
`LDAPSearch.get_attr_filter()` to handle the "search for the default value"
case, off the top of my head it should be something like this:
```python
def get_attr_filter(self, ldap, **options):
"""
Returns a MATCH_ALL filter containing all required attributes from the
options
"""
search_kw = self.args_options_2_entry(**options)
search_kw['objectclass'] = self.obj.object_class
default_kw = self.get_default(**options)
filters = []
for name, value in search_kw.items():
flt = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
if name in default_kw and value == default_kw[name]:
# default value search, check also for non-present attribute
flt = ldap.combine_filters([flt, '(!({}=*))'.format(name)])
filters.append(flt)
return ldap.combine_filters(filters, ldap.MATCH_ALL)
```
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/444#issuecomment-284318835
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
