2 files changed, 53 insertions, 1 deletions

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index b0be26f5c..f7c6039a9 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -836,7 +836,18 @@ class aci_find(crud.Search):
                     a.target['targetfilter']['expression'] != kw['filter']:
                     results.remove(a)
 
-        # TODO: searching by: subtree
+        if kw.get('subtree'):
+            for a in acis:
+                if 'target' in a.target:
+                    target = a.target['target']['expression']
+                else:
+                    results.remove(a)
+                    continue
+                if kw['subtree'].lower() != target.lower():
+                    try:
+                        results.remove(a)
+                    except ValueError:
+                        pass
 
         acis = []
         for result in results:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 54d155aca..28db7dc2f 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -510,6 +510,47 @@ class test_permission(Declarative):
 
 
         dict(
+            desc='Change %r to a subtree type' % permission1_renamed_ucase,
+            command=(
+                'permission_mod', [permission1_renamed_ucase], dict(subtree=u'ldap:///cn=*,cn=test,cn=accounts,%s' % api.env.basedn, type=None)
+            ),
+            expected=dict(
+                value=permission1_renamed_ucase,
+                summary=u'Modified permission "%s"' % permission1_renamed_ucase,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_renamed_ucase_dn,
+                    cn=[permission1_renamed_ucase.lower()],
+                    member_privilege=[privilege1],
+                    subtree=u'ldap:///cn=*,cn=test,cn=accounts,%s' % api.env.basedn,
+                    permissions=[u'write'],
+                    memberof=u'ipausers',
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Search for %r using --subtree' % permission1,
+            command=('permission_find', [], {'subtree': 'ldap:///cn=*,cn=test,cn=accounts,%s' % api.env.basedn}),
+            expected=dict(
+                count=1,
+                truncated=False,
+                summary=u'1 permission matched',
+                result=[
+                    {
+                        'dn':lambda x: DN(x) == permission1_renamed_ucase_dn,
+                        'cn':[permission1_renamed_ucase.lower()],
+                        'member_privilege':[privilege1],
+                        'subtree':u'ldap:///cn=*,cn=test,cn=accounts,%s' % api.env.basedn,
+                        'permissions':[u'write'],
+                        'memberof':u'ipausers',
+                    },
+                ],
+            ),
+        ),
+
+
+        dict(
             desc='Delete %r' % permission1_renamed_ucase,
             command=('permission_del', [permission1_renamed_ucase], {}),
             expected=dict(