4 files changed, 45 insertions, 22 deletions

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 79ce42dac..9cc4f55cb 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -913,12 +913,12 @@ class AlreadyActive(ExecutionError):
     >>> raise AlreadyActive()
     Traceback (most recent call last):
       ...
-    AlreadyActive: This entry is already unlocked
+    AlreadyActive: This entry is already enabled
 
     """
 
     errno = 4009
-    format = _('This entry is already unlocked')
+    format = _('This entry is already enabled')
 
 class AlreadyInactive(ExecutionError):
     """
@@ -929,12 +929,12 @@ class AlreadyInactive(ExecutionError):
     >>> raise AlreadyInactive()
     Traceback (most recent call last):
       ...
-    AlreadyInactive: This entry is already locked
+    AlreadyInactive: This entry is already disabled
 
     """
 
     errno = 4010
-    format = _('This entry is already locked')
+    format = _('This entry is already disabled')
 
 class HasNSAccountLock(ExecutionError):
     """
@@ -945,12 +945,12 @@ class HasNSAccountLock(ExecutionError):
     >>> raise HasNSAccountLock()
     Traceback (most recent call last):
       ...
-    HasNSAccountLock: This entry has nsAccountLock set, it cannot be locked or unlocked
+    HasNSAccountLock: This entry cannot be enableed or disabled
 
     """
 
     errno = 4011
-    format = _('This entry has nsAccountLock set, it cannot be locked or unlocked')
+    format = _('This entry cannot be enabled or disabled')
 
 class NotGroupMember(ExecutionError):
     """
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 97a02946b..708d1e4a1 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -400,7 +400,7 @@ class LDAPCreate(CallbackInterface, crud.Create):
             )
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + entry_attrs.keys())
@@ -538,7 +538,7 @@ class LDAPRetrieve(LDAPQuery):
         dn = self.obj.get_dn(*keys, **options)
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(self.obj.default_attributes)
 
@@ -643,7 +643,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                     entry_attrs[a] += old_entry[a]
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + entry_attrs.keys())
@@ -903,7 +903,7 @@ class LDAPAddMember(LDAPModMember):
                         completed += 1
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + member_dns.keys())
@@ -1005,7 +1005,7 @@ class LDAPRemoveMember(LDAPModMember):
                         completed += 1
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + member_dns.keys())
@@ -1100,7 +1100,7 @@ class LDAPSearch(CallbackInterface, crud.Search):
         search_kw = self.args_options_2_entry(**options)
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + search_kw.keys())
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 086dc3933..536848b46 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -48,7 +48,7 @@ EXAMPLES:
 """
 
 from ipalib import api, errors
-from ipalib import Flag, Int, Password, Str
+from ipalib import Flag, Int, Password, Str, Bool
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 from ipalib.request import context
@@ -66,7 +66,7 @@ class user(LDAPObject):
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
-        'telephonenumber', 'title', 'memberof',
+        'telephonenumber', 'title', 'memberof', 'nsaccountlock',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -149,6 +149,10 @@ class user(LDAPObject):
         Str('facsimiletelephonenumber*',
             cli_name='fax',
             label=_('Fax Number') ),
+        Bool('nsaccountlock?',
+            label=_('Account disabled'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
     )
 
 api.register(user)
@@ -228,6 +232,11 @@ class user_mod(LDAPUpdate):
 
     msg_summary = _('Modified user "%(value)s"')
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        if not 'nsaccountlock' in entry_attrs:
+            entry_attrs['nsaccountlock'] = [u'False']
+        return dn
+
 api.register(user_mod)
 
 
@@ -248,6 +257,12 @@ class user_find(LDAPSearch):
                 getattr(context, 'principal')
         return filter
 
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        for entry in entries:
+            (dn, attrs) = entry
+            if not 'nsaccountlock' in attrs:
+                attrs['nsaccountlock'] = [u'False']
+
     msg_summary = ngettext(
         '%(count)d user matched', '%(count)d users matched', 0
     )
@@ -259,6 +274,10 @@ class user_show(LDAPRetrieve):
     """
     Display information about a user.
     """
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        if not 'nsaccountlock' in entry_attrs:
+            entry_attrs['nsaccountlock'] = [u'False']
+        return dn
 
 api.register(user_show)
 
@@ -276,10 +295,7 @@ class user_disable(LDAPQuery):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        try:
-            ldap.deactivate_entry(dn)
-        except errors.AlreadyInactive:
-            pass
+        ldap.deactivate_entry(dn)
 
         return dict(
             result=True,
@@ -302,10 +318,7 @@ class user_enable(LDAPQuery):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        try:
-            ldap.activate_entry(dn)
-        except errors.AlreadyActive:
-            pass
+        ldap.activate_entry(dn)
 
         return dict(
             result=True,
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index a1346f58b..340963858 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -121,6 +121,7 @@ class test_user(Declarative):
                     sn=[u'User1'],
                     uid=[user1],
                     memberof_group=[u'ipausers'],
+                    nsaccountlock=[u'False'],
                 ),
                 value=user1,
                 summary=None,
@@ -152,6 +153,7 @@ class test_user(Declarative):
                         'ipauniqueid': [fuzzy_uuid],
                         'mepmanagedentry': [u'cn=%s,cn=groups,cn=accounts,%s' % (user1, api.env.basedn)],
                         'krbpwdpolicyreference': [u'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn)],
+                        'nsaccountlock': [u'False'],
                     },
                 ],
                 summary=u'1 user matched',
@@ -175,6 +177,7 @@ class test_user(Declarative):
                         sn=[u'User1'],
                         uid=[user1],
                         memberof_group=[u'ipausers'],
+                        nsaccountlock=[u'False'],
                     ),
                 ],
                 summary=u'1 user matched',
@@ -200,6 +203,7 @@ class test_user(Declarative):
                         memberof_group=[u'admins'],
                         memberof_rolegroup=[u'hostadmin', u'replicaadmin'],
                         memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'],
+                        nsaccountlock=[u'False'],
                     ),
                     dict(
                         dn=u'uid=tuser1,cn=users,cn=accounts,' + api.env.basedn,
@@ -209,6 +213,7 @@ class test_user(Declarative):
                         sn=[u'User1'],
                         uid=[user1],
                         memberof_group=[u'ipausers'],
+                        nsaccountlock=[u'False'],
                     ),
                 ],
                 summary=u'2 users matched',
@@ -234,6 +239,7 @@ class test_user(Declarative):
                         memberof_group=[u'admins'],
                         memberof_rolegroup=[u'hostadmin', u'replicaadmin'],
                         memberof_taskgroup=[u'addhosts', u'removehosts', u'modifyhosts', u'manage_host_keytab', u'enroll_host', u'managereplica', u'deletereplica'],
+                        nsaccountlock=[u'False'],
                     ),
                 ],
                 summary=u'1 user matched',
@@ -282,6 +288,7 @@ class test_user(Declarative):
                     sn=[u'User1'],
                     uid=[user1],
                     memberof_group=[u'ipausers'],
+                    nsaccountlock=[u'False'],
                 ),
                 summary=u'Modified user "tuser1"',
                 value=user1,
@@ -301,6 +308,7 @@ class test_user(Declarative):
                     sn=[u'User1'],
                     uid=[user1],
                     memberof_group=[u'ipausers'],
+                    nsaccountlock=[u'False'],
                 ),
                 summary=None,
                 value=user1,
@@ -320,6 +328,7 @@ class test_user(Declarative):
                     sn=[u'User1'],
                     uid=[renameduser1],
                     memberof_group=[u'ipausers'],
+                    nsaccountlock=[u'False'],
                 ),
                 summary=u'Modified user "%s"' % user1,
                 value=user1,
@@ -345,6 +354,7 @@ class test_user(Declarative):
                     sn=[u'User1'],
                     uid=[user1],
                     memberof_group=[u'ipausers'],
+                    nsaccountlock=[u'False'],
                 ),
                 summary=u'Modified user "%s"' % renameduser1,
                 value=renameduser1,