7 files changed, 31 insertions, 7 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 2e284274b..3cb72d7b0 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -50,6 +50,9 @@ global_output_params = (
     Str('member_host?',
         label=_('Member hosts'),
     ),
+    Str('member_hostgroup?',
+        label=_('Member host-groups'),
+    ),
     Str('memberof_hostgroup?',
         label=_('Member of host-groups'),
     ),
@@ -128,6 +131,18 @@ global_output_params = (
     Str('memberindirect_sudocmd?',
         label='Indirect Member SUDO commands',
     ),
+    Str('memberofindirect_group?',
+        label='Indirect Member of group',
+    ),
+    Str('memberofindirect_netgroup?',
+        label='Indirect Member of netgroup',
+    ),
+    Str('memberofindirect_hostgroup?',
+        label='Indirect Member of host-group',
+    ),
+    Str('memberofindirect_role?',
+        label='Indirect Member of role',
+    ),
     Str('externalhost?',
         label=_('External host'),
     ),
@@ -1184,6 +1199,9 @@ class LDAPRemoveMember(LDAPModMember):
                 set(self.obj.default_attributes + member_dns.keys())
             )
 
+        # Give memberOf a chance to update entries
+        time.sleep(.3)
+
         try:
             (dn, entry_attrs) = ldap.get_entry(
                 dn, attrs_list, normalize=self.obj.normalize_dn
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index b981731e3..1c0161a9d 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -85,13 +85,14 @@ class group(LDAPObject):
     search_attributes_config = 'ipagroupsearchfields'
     default_attributes = [
         'cn', 'description', 'gidnumber', 'member', 'memberof',
-        'memberindirect',
+        'memberindirect', 'memberofindirect',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['user', 'group'],
         'memberof': ['group', 'netgroup', 'role',],
         'memberindirect': ['user', 'group', 'netgroup', 'role'],
+        'memberofindirect': ['group', 'netgroup', 'role'],
     }
     rdnattr = 'cn'
 
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index b819688d0..f5f5157b0 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -189,13 +189,14 @@ class host(LDAPObject):
     default_attributes = [
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
         'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
-        'krblastpwdchange', 'managedby'
+        'krblastpwdchange', 'managedby', 'memberindirect', 'memberofindirect',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'enrolledby': ['user'],
         'memberof': ['hostgroup', 'netgroup', 'role'],
         'managedby': ['host'],
+        'memberofindirect': ['hostgroup', 'netgroup', 'role'],
     }
     bindable = True
     relationships = {
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 082e4ef00..f661a2ff5 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -60,13 +60,14 @@ class hostgroup(LDAPObject):
     object_name_plural = 'hostgroups'
     object_class = ['ipaobject', 'ipahostgroup']
     default_attributes = ['cn', 'description', 'member', 'memberof',
-        'memberindirect'
+        'memberindirect', 'memberofindirect',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['host', 'hostgroup'],
         'memberof': ['hostgroup'],
         'memberindirect': ['host', 'hostgroup'],
+        'memberofindirect': ['host', 'hostgroup'],
     }
 
     label = _('Host Groups')
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index dfc4085ae..0b451635e 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -41,11 +41,12 @@ class privilege(LDAPObject):
     object_name_plural = 'privileges'
     object_class = ['nestedgroup', 'groupofnames']
     default_attributes = ['cn', 'description', 'member', 'memberof',
-        'memberindirect'
+        'memberindirect', 'memberofindirect',
     ]
     attribute_members = {
         'member': ['role'],
         'memberof': ['permission'],
+        'memberofindirect': ['permission'],
     }
     reverse_members = {
         'member': ['permission'],
diff --git a/ipalib/plugins/role.py b/ipalib/plugins/role.py
index fd79845ab..3324dba8c 100644
--- a/ipalib/plugins/role.py
+++ b/ipalib/plugins/role.py
@@ -67,12 +67,12 @@ class role(LDAPObject):
     object_name_plural = 'roles'
     object_class = ['groupofnames', 'nestedgroup']
     default_attributes = ['cn', 'description', 'member', 'memberof',
-        'memberindirect'
+        'memberindirect', 'memberofindirect',
     ]
     attribute_members = {
         'member': ['user', 'group', 'host', 'hostgroup'],
-        'memberof': ['privilege'],
-#        'memberindirect': ['user', 'group', 'host', 'hostgroup'],
+        'memberof': ['privilege', 'role'],
+        'memberofindirect': ['role'],
     }
     reverse_members = {
         'member': ['privilege'],
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 0ea3c231f..ae730125d 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -84,10 +84,12 @@ class user(LDAPObject):
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
         'telephonenumber', 'title', 'memberof', 'nsaccountlock',
+        'memberofindirect',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'memberof': ['group', 'netgroup', 'role'],
+        'memberofindirect': ['group', 'netgroup', 'role'],
     }
     rdnattr = 'uid'
     bindable = True