URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

HonzaCholasta commented:
@abbra, the issue is not that the attribute is not requested (it is in fast 
always requested in user commands), it is that when the attribute is not set on 
a user entry (that's right, the attribute is *not* operational in 389 DS), the 
entry will not be returned in `ipa user-find --disabled=0`, which might be 
surprising to the user.

@redhatrises, the framework fix would be to update 
`LDAPSearch.get_attr_filter()` to handle the "search for the default value" 
case, off the top of my head it should be something like this:
    def get_attr_filter(self, ldap, **options):
        Returns a MATCH_ALL filter containing all required attributes from the
        search_kw = self.args_options_2_entry(**options)
        search_kw['objectclass'] = self.obj.object_class
        default_kw = self.get_default(**options)
        filters = []
        for name, value in search_kw.items():
            flt = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
            if name in default_kw and value == default_kw[name]:
                # default value search, check also for non-present attribute
                flt = ldap.combine_filters([flt, '(!({}=*))'.format(name)])
        return ldap.combine_filters(filters, ldap.MATCH_ALL)

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to