From 47629a604d7f312ccb32e6b260782cb7c5c70954 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 25 Oct 2010 22:59:50 -0400
Subject: [PATCH] Retrieve Get Effective Rights output with LDAPRetrieve

The output is a pure python dict so is really only useful when used with
--all so it is required.

Updated to return a string for rights as opposed to a list.  Terser, reducing the wire size by a factor of 3.5
---
 ipalib/plugins/baseldap.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 78ce8e023..91aa39650 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -426,6 +426,13 @@ class LDAPRetrieve(LDAPQuery):
     """
     has_output = output.standard_entry
 
+    takes_options = (
+        Flag('rights',
+            label=_('Rights'),
+            doc=_('Display the access rights to modify this entry (requires --all)'),
+        ),
+    )
+
     def execute(self, *keys, **options):
         ldap = self.obj.backend
 
@@ -455,6 +462,17 @@ class LDAPRetrieve(LDAPQuery):
             except errors.NotFound:
                 self.obj.handle_not_found(*keys)
 
+        if options.get('rights', False) and options.get('all', False):
+            rights = ldap.get_effective_rights(dn, ['*', 'nsaccountlock'])
+            if 'attributelevelrights' in rights[1]:
+                rights = rights[1]['attributelevelrights']
+                rights = rights[0].split(', ')
+                rdict = {}
+                for r in rights:
+                    (k,v) = r.split(':')
+                    rdict[k] = v
+                entry_attrs['attributelevelrights'] = rdict
+
         for callback in self.POST_CALLBACKS:
             if hasattr(callback, 'im_self'):
                 dn = callback(ldap, dn, entry_attrs, *keys, **options)