Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches

- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for nsaccountlock to false as well as update the filter to check for the default value - Remove pytest xfail for test_find_enabled_user https://pagure.io/freeipa/issue/6896 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-04-25 07:51:17 -06:00
parent b64ec75788
commit 38276d3473
4 changed files with 14 additions and 7 deletions
--- a/API.txt
+++ b/API.txt
@@ -5923,7 +5923,7 @@ option: Str('manager?')
 option: Str('mobile*')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock?', cli_name='disabled')
+option: Bool('nsaccountlock?', cli_name='disabled', default=False)
 option: Str('ou?', cli_name='orgunit')
 option: Str('pager*')
 option: Str('postalcode?')
@@ -6052,7 +6052,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
 option: Str('not_in_role*', cli_name='not_in_roles')
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
 option: Str('ou?', autofill=False, cli_name='orgunit')
 option: Str('pager*', autofill=False)
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -6109,7 +6109,7 @@ option: Str('mail*', autofill=False, cli_name='email')
 option: Str('manager?', autofill=False)
 option: Str('mobile*', autofill=False)
 option: Flag('no_members', autofill=True, default=False)
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
 option: Str('ou?', autofill=False, cli_name='orgunit')
 option: Str('pager*', autofill=False)
 option: Str('postalcode?', autofill=False)
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1937,7 +1937,16 @@ class LDAPSearch(BaseLDAPCommand, crud.Search):
        """
        search_kw = self.args_options_2_entry(**options)
        search_kw['objectclass'] = self.obj.object_class
-        return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+        filters = []
+        for name, value in search_kw.items():
+            default = self.get_default_of(name, **options)
+            fltr = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
+            if default is not None and value == default:
+                fltr = ldap.combine_filters([fltr, '(!({}=*))'.format(name)])
+            filters.append(fltr)
+
+        return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)

    def get_term_filter(self, ldap, term):
        """
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -380,6 +380,7 @@ class user(baseuser):
    takes_params = baseuser.takes_params + (
        Bool('nsaccountlock?',
            cli_name=('disabled'),
+            default=False,
            label=_('Account disabled'),
        ),
        Bool('preserved?',
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -240,9 +240,6 @@ class TestFind(XMLRPC_test):
        result = command()
        user.check_find(result, pkey_only=True)

-    @pytest.mark.xfail(
-        reason="new users don't have set attribute nsaccountlock in LDAP, "
-               "thus this search doesn't return it in result")
    def test_find_enabled_user(self, user):
        """Test user-find --disabled=False with enabled user"""
        user.ensure_exists()