When getting members let user indicate what type of member they want.

The memberOf attribute includes members that are directly in the group
via the "member" attribute and those that are included as a result of
being in a group that is in the group.

The UI needs to be able to distinguish between the two.

438706

1 files changed, 44 insertions, 4 deletions

diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 43bcf9869..4c346698c 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1725,22 +1725,42 @@ class IPAServer:
 
         return attrs.attr_label_list
 
-    def group_members(self, groupdn, attr_list, opts=None):
+    def group_members(self, groupdn, attr_list, membertype, opts=None):
         """Do a memberOf search of groupdn and return the attributes in
-           attr_list (an empty list returns everything)."""
+           attr_list (an empty list returns all attributes).
+
+           membertype = 0 all members returned
+           membertype = 1 only direct members are returned
+           membertype = 2 only inherited members are returned
+
+           Members may be included in a group as a result of being a member
+           of a group that is a member of the group being queried.
+        """
 
         if not isinstance(groupdn,basestring) or len(groupdn) == 0:
             raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
         if attr_list is not None and not isinstance(attr_list,list):
             raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
+        if membertype is not None and not isinstance(membertype,int):
+            raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
+        if membertype is None:
+            membertype = 0
+        if membertype < 0 or membertype > 3:
+            raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
         config = self.get_ipa_config(opts)
         timelimit = float(config.get('ipasearchtimelimit'))
 
+        logging.debug("IPA: group_members: %s %s %s" % (groupdn, attr_list, membertype))
+
         searchlimit = float(config.get('ipasearchrecordslimit'))
 
         groupdn = self.__safe_filter(groupdn)
         searchfilter = "(memberOf=%s)" % groupdn
 
+        if attr_list is None:
+            attr_list = []
+        attr_list.append("member")
+
         conn = self.getConnection(opts)
         try:
             try:
@@ -1755,9 +1775,29 @@ class IPAServer:
         counter = results[0]
         results = results[1:]
 
-        entries = [counter]
+        if membertype == 0:
+            entries = [counter]
+            for e in results:
+                entries.append(self.convert_entry(e))
+
+            return entries
+
+        group = self.get_entry_by_dn(groupdn, ['dn', 'member'], opts)
+        real_members = group.get('member')
+        if isinstance(real_members, basestring):
+            real_members = [real_members]
+
+        entries = [0]
         for e in results:
-            entries.append(self.convert_entry(e))
+            if e.dn not in real_members:
+                if membertype == 2:
+                    entries.append(self.convert_entry(e))
+            else:
+                if membertype == 1:
+                    entries.append(self.convert_entry(e))
+
+        if len(entries) > 1:
+            entries[0] = len(entries) - 1
 
         return entries