It's not clear in the API or python-freeapi module that all is a keyword
argument, so all=true solves my first problem.

I added the objectclasses _before_ users were created using a python import
script, which keeps their attributes up-to-date.

I added the objectclasses using the following method:

git clone
cp auEduPerson/auEduPerson20170721.ldif
chown dirsrv:dirsrv /etc/dirsrv/slapd-MY-ORG/schema/60aueduperson.ldif
ipactl restart
kinit admin
ipa config-mod

Though, I did not do the last line using the CLI, but used the web UI to set
objectclasses so that I didn't drop any by missing them out of the list.


On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote:
>Hi all,
>We've added two objectclasses to the default user in our FreeIPA instance.
>We're able to set and modify them fine, however we need two additional 
>We need two additional attributes auedupersonsharedtoken and 
>edupersonprinciplename to be included in the user attributes when 
>executing user-find with the python-freeipa module. It works fine from 
>the command line by adding the --all argument, but there's no 
>equivalent to --all the python-freeipa module.
It is all there.

$ ipa console
(Custom IPA interactive Python console)
>>> len(api.Command.user_find()['result'][0])
>>> len(api.Command.user_find(all=True)['result'][0])

>We need to be able to user-find to search for users by these 
>attributes, both from the command line and the python-freeipa module. 
>There does not seem to be an equivalent of the --setattr command on the 
>find function to search by attributes provided by additional objectclass
This is a bit different. You need to make sure you injected those attributes
into existing object definitions if you want to see them used by the machinery.

Can you show a code you use to extend IPA classes?

