New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow nsaccountlock to be searched in user-find commands #444
Conversation
18e8401
to
7d05370
Compare
Hello, thank you for PR! I have a few comments:
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 0194f1b..3df2723 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -371,7 +371,7 @@ class user(baseuser):
takes_params = baseuser.takes_params + (
Bool('nsaccountlock?',
label=_('Account disabled'),
- flags=['no_option'],
+ flags=['no_create', 'no_update'],
),
Bool('preserved?',
label=_('Preserved user'), Adding @HonzaCholasta to make sure that changing options in this way is compatible |
I didn't want to limit it to user-find. However, it looks like adding the option is actually pointless as that information is in the output already. I can fix that.
@MartinBasti sure. Not sure where we are with ABI/API compatibility issues which is why I didn't use the overriding get_options. I guess we will see what @HonzaCholasta says. |
7d05370
to
6d398d8
Compare
Replacing So, @redhatrises's approach is OK, although I would rather remove the Also, now that the options is visible in CLI, you should set |
This patch provides the ability to search and find users who are enabled/disabled in `ipa user-find` command without breaking API compatibility.
6d398d8
to
f3d33fb
Compare
@MartinBasti I believe that this is ready for your review. |
LGTM, I'll test it later |
@pvomacka IMO this may deserve webUI part too |
Fixed upstream |
I found "not-sure-if" bug, nsaccountlock is not always specified (admin has it and any user after user-enable, that's why I didn't catch it during testing of PR) in LDAP tree, so search IMHO this is unexpected behavior for users, however expected from IPA framework POW and LDAP POW. |
Or we can modify search filter on server to cover this case, but it won't be nice |
@MartinBasti sorry for the late reply, but yes, this is a bug. If 'nsaccountlock' doesn't exist, it should return as |
@redhatrises IMO for new users we can always create that attribute in LDAP, that should limit bad behavior. I wouldn't add it to user-add, usually you wants to create an enabled user, for disabled you can use stage-user. I hope that activating of stage user creates this attribute in LDAP as well. However this need a discussion, if it is a proper approach is the right. BTW you can open a new PR we shouldn't continue here. |
No, it's not the right approach. This is an issue in the framework and that's where it needs to be fixed - in the framework - rather than working around the issue in every plugin which hits it. |
nsaccountlock is an operational attribute, not a normal one. I don't like it being created all the time. You have to request it explicitly if you want to show status of users, not invent a mechanism to always add it. |
Thanks guys. So can this be fixed in |
Yes, you can add nsaccountlock attribute retrieval in the |
@abbra, the issue is not that the attribute is not requested (it is in fast always requested in user commands), it is that when the attribute is not set on a user entry (that's right, the attribute is not operational in 389 DS), the entry will not be returned in @redhatrises, the framework fix would be to update def get_attr_filter(self, ldap, **options):
"""
Returns a MATCH_ALL filter containing all required attributes from the
options
"""
search_kw = self.args_options_2_entry(**options)
search_kw['objectclass'] = self.obj.object_class
default_kw = self.get_default(**options)
filters = []
for name, value in search_kw.items():
flt = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
if name in default_kw and value == default_kw[name]:
# default value search, check also for non-present attribute
flt = ldap.combine_filters([flt, '(!({}=*))'.format(name)])
filters.append(flt)
return ldap.combine_filters(filters, ldap.MATCH_ALL) |
The nsaccountlock is virtual attribute in 389-ds:
Notice |
I see, I assumed that it's not operational because it's not always set. I stand corrected, but this information does not change anything in respect to the default value search issue. |
You are correct in the fact that the search filter need to be modified to allow matching entries without nsAccountLock attribute set. |
This patch provides the ability to search and find users who are enabled/disabled in
ipa user-find
command without breaking API compatibility.