So the next step is raise an issue: https://pagure.io/freeipa/issue/7235


-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Monday, 6 November 2017 5:21 PM
To: 'Alexander Bokovoy' <aboko...@redhat.com>; 'FreeIPA users list'
<freeipa-users@lists.fedorahosted.org>
Subject: RE: [Freeipa-users] Searching for user by extended attribute

Hi everyon, 

This seems to be a flaw in the FreeIPA API itself.

Using curl and the session method Alexander wrote up here:
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

There is no combination of the 'all':somevalue that seem to trigger a proper
all response. This is either broken or improperly documented. I've tried
'all':True  'all':1  all:'True'

This is the curl request I'm making at the end:

curl -v \
     -H referer:https://$IPAHOSTNAME/ipa \
     -H "Content-Type:application/json" \
     -H "Accept:applicaton/json" \
     -c $COOKIEJAR -b $COOKIEJAR \
     --cacert /etc/ipa/ca.crt \
     -d '{"method":"user_find","params":[[""],{"all":"true"}],"id":0}' \
     -X POST https://$IPAHOSTNAME/ipa/session/json

-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Monday, 6 November 2017 3:20 PM
To: 'Alexander Bokovoy' <aboko...@redhat.com>; 'FreeIPA users list'
<freeipa-users@lists.fedorahosted.org>
Subject: RE: [Freeipa-users] Searching for user by extended attribute

Ah, another point of difference is that I'm using this module to communicate
with the API https://github.com/opennode/python-freeipa

I've not found any documentation for using any Python modules provided by
FreeAPI itself in standalone python scripts, rather than via the ipa
console...

-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Monday, 6 November 2017 10:20 AM
To: 'Alexander Bokovoy' <aboko...@redhat.com>; 'FreeIPA users list'
<freeipa-users@lists.fedorahosted.org>
Subject: RE: [Freeipa-users] Searching for user by extended attribute

Ugh, on further testing; the ipa python console is giving different
responses that the code I'm using in a python script.

In the ipa console, the additional attributes are listed.

In the script I'm setting up a python-freeipa.Client object (called
client)and passing the following call:

client.user_find(all=True)

and the user records that are returned are still only the 'default'
attributes, even though the attributes are set and have values.

This is the code I'm testing, it's loading all the variables from a
configuration file provided by the config object.

# First two lines import the project's configuration and logging objects
from this.configuration import config, args from this.log import base_logger
from python_freeipa import Client

logger = base_logger.getChild(__name__)

if config['freeipa'].getboolean('enabled') is True:
    if config['freeipa'].getboolean('verify_ssl') is not True:
        logger.warning(
            'Verifying TLS connection to %s disabled.' %
            config['freeipa']['server']
        )
    logger.info('freeIPA startup')
    client = Client(
        config['freeipa']['server'],
        version=config['freeipa']['version'],
        verify_ssl=config['freeipa'].getboolean('verify_ssl')
    )
    client.login(
        config['freeipa']['user'],
        config['freeipa']['password']
    )
else:
    logger.info('freeIPA disabled')

def ipa_query(*dargs, **kwargs):
    if config['freeipa'].getboolean('enabled') is True:
        return client.user_find(*dargs, **kwargs)
    else:
        logger.info('freeIPA disabled')
        return None

ipa_query(all=True)

Regards,

Aaron


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, 3 November 2017 7:10 PM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] Searching for user by extended attribute

On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote:
>Hi all,
>
>
>
>We've added two objectclasses to the default user in our FreeIPA instance.
>We're able to set and modify them fine, however we need two additional 
>functions.
>
>
>
>We need two additional attributes auedupersonsharedtoken and 
>edupersonprinciplename to be included in the user attributes when 
>executing user-find with the python-freeipa module. It works fine from 
>the command line by adding the --all argument, but there's no 
>equivalent to --all the python-freeipa module.
It is all there.

$ ipa console
(Custom IPA interactive Python console)
>>> len(api.Command.user_find()['result'][0])
11
>>> len(api.Command.user_find(all=True)['result'][0])
24

>We need to be able to user-find to search for users by these 
>attributes, both from the command line and the python-freeipa module.
>There does not seem to be an equivalent of the --setattr command on the 
>find function to search by attributes provided by additional 
>objectclass
schema.
This is a bit different. You need to make sure you injected those attributes
into existing object definitions if you want to see them used by the
baseldap.py machinery.

Can you show a code you use to extend IPA classes?

--
/ Alexander Bokovoy



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to