2 files changed, 29 insertions, 16 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 97a02946..708d1e4a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -400,7 +400,7 @@ class LDAPCreate(CallbackInterface, crud.Create):
             )
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + entry_attrs.keys())
@@ -538,7 +538,7 @@ class LDAPRetrieve(LDAPQuery):
         dn = self.obj.get_dn(*keys, **options)
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(self.obj.default_attributes)
 
@@ -643,7 +643,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                     entry_attrs[a] += old_entry[a]
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + entry_attrs.keys())
@@ -903,7 +903,7 @@ class LDAPAddMember(LDAPModMember):
                         completed += 1
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + member_dns.keys())
@@ -1005,7 +1005,7 @@ class LDAPRemoveMember(LDAPModMember):
                         completed += 1
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + member_dns.keys())
@@ -1100,7 +1100,7 @@ class LDAPSearch(CallbackInterface, crud.Search):
         search_kw = self.args_options_2_entry(**options)
 
         if options.get('all', False):
-            attrs_list = ['*']
+            attrs_list = ['*'] + self.obj.default_attributes
         else:
             attrs_list = list(
                 set(self.obj.default_attributes + search_kw.keys())
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 086dc393..536848b4 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -48,7 +48,7 @@ EXAMPLES:
 """
 
 from ipalib import api, errors
-from ipalib import Flag, Int, Password, Str
+from ipalib import Flag, Int, Password, Str, Bool
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 from ipalib.request import context
@@ -66,7 +66,7 @@ class user(LDAPObject):
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',
-        'telephonenumber', 'title', 'memberof',
+        'telephonenumber', 'title', 'memberof', 'nsaccountlock',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -149,6 +149,10 @@ class user(LDAPObject):
         Str('facsimiletelephonenumber*',
             cli_name='fax',
             label=_('Fax Number') ),
+        Bool('nsaccountlock?',
+            label=_('Account disabled'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
     )
 
 api.register(user)
@@ -228,6 +232,11 @@ class user_mod(LDAPUpdate):
 
     msg_summary = _('Modified user "%(value)s"')
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        if not 'nsaccountlock' in entry_attrs:
+            entry_attrs['nsaccountlock'] = [u'False']
+        return dn
+
 api.register(user_mod)
 
 
@@ -248,6 +257,12 @@ class user_find(LDAPSearch):
                 getattr(context, 'principal')
         return filter
 
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        for entry in entries:
+            (dn, attrs) = entry
+            if not 'nsaccountlock' in attrs:
+                attrs['nsaccountlock'] = [u'False']
+
     msg_summary = ngettext(
         '%(count)d user matched', '%(count)d users matched', 0
     )
@@ -259,6 +274,10 @@ class user_show(LDAPRetrieve):
     """
     Display information about a user.
     """
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        if not 'nsaccountlock' in entry_attrs:
+            entry_attrs['nsaccountlock'] = [u'False']
+        return dn
 
 api.register(user_show)
 
@@ -276,10 +295,7 @@ class user_disable(LDAPQuery):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        try:
-            ldap.deactivate_entry(dn)
-        except errors.AlreadyInactive:
-            pass
+        ldap.deactivate_entry(dn)
 
         return dict(
             result=True,
@@ -302,10 +318,7 @@ class user_enable(LDAPQuery):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        try:
-            ldap.activate_entry(dn)
-        except errors.AlreadyActive:
-            pass
+        ldap.activate_entry(dn)
 
         return dict(
             result=True,