Sorry, we cannot push this patch because I realize that it breaks API compatibility.

The proper fix is add this code to find method (not tested)

    def get_options(self):
        for option in super(user_find, self).get_options():
            if == "nsaccountlock":
                flags = set(option.flags)
                option = option.clone(flags=flags)
            yield option

But I do not like too much this code, we plan to do some ipalib refactoring in IPA 4.4, so we can do there bigger changes and solve this issue in nicer way. If you don't mind, I would postpone this to IPA 4.4, instead of hacking the framework


On 13.10.2015 19:12, Gabe Alford wrote:
Updated patch attached.

On Tue, Oct 13, 2015 at 10:59 AM, Martin Basti < <>> wrote:

    On 13.10.2015 18:53, Gabe Alford wrote:
    Thanks Martin,

    What about adding no_create and no_update flags?

    Yes, that may work, also please increment minor version of API and
    add ticket into commit message


    On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti <
    <>> wrote:

        On 09.10.2015 19:17, Gabe Alford wrote:

        This patch enables nsaccountlock in cli. It is very
        handy to be able to search and find users with
        disabled/enabled accounts, etc. That said, I couldn't find
        why it was no_option in the first place, so I am not 100%
        sure if it breaks something or the reasoning behind no_option.




        This patch allows to enable/disable user via user-mod, and we
        do not want to do this, so NACK for this patch.
        I'm not sure yet how to write it in elegant way.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to