Issue 3656 - Extend schema function to return MAY or MUST attrs

Add new paramters to get_allowed_attributes() to return just MAY or MUST
attributes

Related: https://pagure.io/freeipa/issue/3656

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipapython/ipaldap.py

@@ -1185,14 +1185,23 @@ def schema(self):
         """schema associated with this LDAP server"""
         return self._get_schema()
 
-    def get_allowed_attributes(self, objectclasses, raise_on_unknown=False):
+    def get_allowed_attributes(self, objectclasses, raise_on_unknown=False,
+                               attributes="all"):
         if self.schema is None:
             return None
         allowed_attributes = []
         for oc in objectclasses:
             obj = self.schema.get_obj(ldap.schema.ObjectClass, oc)
             if obj is not None:
-                allowed_attributes += obj.must + obj.may
+                if attributes == "must":
+                    # Only return required(must) attrs
+                    allowed_attributes += obj.must
+                elif attributes == "may":
+                    # Only return allowed(may) attrs
+                    allowed_attributes += obj.may
+                else:
+                    # Return both allowed & required attrs
+                    allowed_attributes += obj.must + obj.may
             elif raise_on_unknown:
                 raise errors.NotFound(
                     reason=_('objectclass %s not found') % oc)
@@ -1201,7 +1210,6 @@ def get_allowed_attributes(self, objectclasses, raise_on_unknown=False):
     def __enter__(self):
         return self
 
-
     def __exit__(self, exc_type, exc_value, traceback):
         self.close()