On ma, 06 marras 2017, Aaron Hicks via FreeIPA-users wrote:
Hi everyon,

This seems to be a flaw in the FreeIPA API itself.

Using curl and the session method Alexander wrote up here:
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/

There is no combination of the 'all':somevalue that seem to trigger a proper
all response. This is either broken or improperly documented. I've tried
'all':True  'all':1  all:'True'

This is the curl request I'm making at the end:

curl -v \
    -H referer:https://$IPAHOSTNAME/ipa \
    -H "Content-Type:application/json" \
    -H "Accept:applicaton/json" \
    -c $COOKIEJAR -b $COOKIEJAR \
    --cacert /etc/ipa/ca.crt \
    -d '{"method":"user_find","params":[[""],{"all":"true"}],"id":0}' \
    -X POST https://$IPAHOSTNAME/ipa/session/json
See my other answer.

I think what you are confused about as well is the fact that 'user_find'
is not the command that returns _everything_ from the user entries it
finds. Instead, it returns a curated list of attributes -- there are two
lists, actually, -- one for a normal (without --all) and one for
extended operation. The reason for that is because in all
'<object>-find' calls we don't want to resolve potential membership
information for an object to be returned. The list of members/membership
would be too involving in case of a large database which would slow down
find operations a lot. As result, we tuned find operation to provide a
smaller subset (still, --all produces a bit larger one too). If you need
all attributes, use '<object>-show' instead, once you found the name for
an object.




-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Monday, 6 November 2017 3:20 PM
To: 'Alexander Bokovoy' <aboko...@redhat.com>; 'FreeIPA users list'
<freeipa-users@lists.fedorahosted.org>
Subject: RE: [Freeipa-users] Searching for user by extended attribute

Ah, another point of difference is that I'm using this module to communicate
with the API https://github.com/opennode/python-freeipa

I've not found any documentation for using any Python modules provided by
FreeAPI itself in standalone python scripts, rather than via the ipa
console...

-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Monday, 6 November 2017 10:20 AM
To: 'Alexander Bokovoy' <aboko...@redhat.com>; 'FreeIPA users list'
<freeipa-users@lists.fedorahosted.org>
Subject: RE: [Freeipa-users] Searching for user by extended attribute

Ugh, on further testing; the ipa python console is giving different
responses that the code I'm using in a python script.

In the ipa console, the additional attributes are listed.

In the script I'm setting up a python-freeipa.Client object (called
client)and passing the following call:

client.user_find(all=True)

and the user records that are returned are still only the 'default'
attributes, even though the attributes are set and have values.

This is the code I'm testing, it's loading all the variables from a
configuration file provided by the config object.

# First two lines import the project's configuration and logging objects
from this.configuration import config, args from this.log import base_logger
from python_freeipa import Client

logger = base_logger.getChild(__name__)

if config['freeipa'].getboolean('enabled') is True:
   if config['freeipa'].getboolean('verify_ssl') is not True:
       logger.warning(
           'Verifying TLS connection to %s disabled.' %
           config['freeipa']['server']
       )
   logger.info('freeIPA startup')
   client = Client(
       config['freeipa']['server'],
       version=config['freeipa']['version'],
       verify_ssl=config['freeipa'].getboolean('verify_ssl')
   )
   client.login(
       config['freeipa']['user'],
       config['freeipa']['password']
   )
else:
   logger.info('freeIPA disabled')

def ipa_query(*dargs, **kwargs):
   if config['freeipa'].getboolean('enabled') is True:
       return client.user_find(*dargs, **kwargs)
   else:
       logger.info('freeIPA disabled')
       return None

ipa_query(all=True)

Regards,

Aaron


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, 3 November 2017 7:10 PM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] Searching for user by extended attribute

On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote:
Hi all,



We've added two objectclasses to the default user in our FreeIPA instance.
We're able to set and modify them fine, however we need two additional
functions.



We need two additional attributes auedupersonsharedtoken and
edupersonprinciplename to be included in the user attributes when
executing user-find with the python-freeipa module. It works fine from
the command line by adding the --all argument, but there's no
equivalent to --all the python-freeipa module.
It is all there.

$ ipa console
(Custom IPA interactive Python console)
len(api.Command.user_find()['result'][0])
11
len(api.Command.user_find(all=True)['result'][0])
24

We need to be able to user-find to search for users by these
attributes, both from the command line and the python-freeipa module.
There does not seem to be an equivalent of the --setattr command on the
find function to search by attributes provided by additional
objectclass
schema.
This is a bit different. You need to make sure you injected those attributes
into existing object definitions if you want to see them used by the
baseldap.py machinery.

Can you show a code you use to extend IPA classes?

--
/ Alexander Bokovoy


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to