4 files changed, 37 insertions, 2 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 46a98643e..0603d323b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1186,6 +1186,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
     """
     Retrieve all LDAP entries matching the given criteria.
     """
+    member_attributes = []
+    member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
     takes_options = (
         Int('timelimit?',
             label=_('Time Limit'),
@@ -1213,6 +1216,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
     def get_options(self):
         for option in super(LDAPSearch, self).get_options():
             yield option
+        for attr in self.member_attributes:
+            for ldap_obj_name in self.obj.attribute_members[attr]:
+                ldap_obj = self.api.Object[ldap_obj_name]
+                name = to_cli(ldap_obj_name)
+                doc = self.member_param_doc % (
+                    self.obj.object_name_plural, ldap_obj.object_name_plural
+                )
+                yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+                           label=ldap_obj.object_name)
+
+    def get_member_filter(self, ldap, **options):
+        filter = ''
+        for attr in self.member_attributes:
+            for ldap_obj_name in self.obj.attribute_members[attr]:
+                param_name = 'no_%s' % to_cli(ldap_obj_name)
+                if param_name in options:
+                    dns = []
+                    ldap_obj = self.api.Object[ldap_obj_name]
+                    for pkey in options[param_name]:
+                        dns.append(ldap_obj.get_dn(pkey))
+                    flt = ldap.make_filter_from_attr(
+                        attr, dns, ldap.MATCH_NONE
+                    )
+                    filter = ldap.combine_filters(
+                        (filter, flt), ldap.MATCH_ALL
+                    )
+        return filter
 
     has_output_params = global_output_params
 
@@ -1254,8 +1284,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
             search_kw[a] = term
         term_filter = ldap.make_filter(search_kw, exact=False)
 
+        member_filter = self.get_member_filter(ldap, **options)
+
         filter = ldap.combine_filters(
-            (term_filter, attr_filter), rules=ldap.MATCH_ALL
+            (term_filter, attr_filter, member_filter), rules=ldap.MATCH_ALL
         )
 
         scope = ldap.SCOPE_ONELEVEL
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 75f40c573..6d321064d 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -212,6 +212,8 @@ class group_find(LDAPSearch):
     """
     Search for groups.
     """
+    member_attributes = ['member']
+
     msg_summary = ngettext(
         '%(count)d group matched', '%(count)d groups matched', 0
     )
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 1c4cc28e8..d8e1331cc 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -123,7 +123,7 @@ class hostgroup_find(LDAPSearch):
     """
     Search for hostgroups.
     """
-
+    member_attributes = ['member']
     msg_summary = ngettext(
         '%(count)d hostgroup matched', '%(count)d hostgroups matched'
     )
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index e79aca2ad..a000c41e4 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -171,6 +171,7 @@ class netgroup_find(LDAPSearch):
     """
     Search for a netgroup.
     """
+    member_attributes = ['member', 'memberuser', 'memberhost']
     has_output_params = LDAPSearch.has_output_params + output_params
     msg_summary = ngettext(
         '%(count)d netgroup matched', '%(count)d netgroups matched'