Ugh, on further testing; the ipa python console is giving different
responses that the code I'm using in a python script.

In the ipa console, the additional attributes are listed.

In the script I'm setting up a python-freeipa.Client object (called
client)and passing the following call:


and the user records that are returned are still only the 'default'
attributes, even though the attributes are set and have values.

This is the code I'm testing, it's loading all the variables from a
configuration file provided by the config object.

# First two lines import the project's configuration and logging objects
from this.configuration import config, args
from this.log import base_logger
from python_freeipa import Client

logger = base_logger.getChild(__name__)

if config['freeipa'].getboolean('enabled') is True:
    if config['freeipa'].getboolean('verify_ssl') is not True:
            'Verifying TLS connection to %s disabled.' %
        )'freeIPA startup')
    client = Client(
else:'freeIPA disabled')

def ipa_query(*dargs, **kwargs):
    if config['freeipa'].getboolean('enabled') is True:
        return client.user_find(*dargs, **kwargs)
    else:'freeIPA disabled')
        return None




-----Original Message-----
From: Alexander Bokovoy [] 
Sent: Friday, 3 November 2017 7:10 PM
To: FreeIPA users list <>
Cc: Aaron Hicks <>
Subject: Re: [Freeipa-users] Searching for user by extended attribute

On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote:
>Hi all,
>We've added two objectclasses to the default user in our FreeIPA instance.
>We're able to set and modify them fine, however we need two additional 
>We need two additional attributes auedupersonsharedtoken and 
>edupersonprinciplename to be included in the user attributes when 
>executing user-find with the python-freeipa module. It works fine from 
>the command line by adding the --all argument, but there's no 
>equivalent to --all the python-freeipa module.
It is all there.

$ ipa console
(Custom IPA interactive Python console)
>>> len(api.Command.user_find()['result'][0])
>>> len(api.Command.user_find(all=True)['result'][0])

>We need to be able to user-find to search for users by these 
>attributes, both from the command line and the python-freeipa module. 
>There does not seem to be an equivalent of the --setattr command on the 
>find function to search by attributes provided by additional objectclass
This is a bit different. You need to make sure you injected those attributes
into existing object definitions if you want to see them used by the machinery.

Can you show a code you use to extend IPA classes?

/ Alexander Bokovoy
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to