Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches

- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
  nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user

https://pagure.io/freeipa/issue/6896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

4 files changed, 14 insertions, 7 deletions

diff --git a/API.txt b/API.txt
index 785053845..fa7582da2 100644
--- a/API.txt
+++ b/API.txt
@@ -5923,7 +5923,7 @@ option: Str('manager?')
 option: Str('mobile*')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock?', cli_name='disabled')
+option: Bool('nsaccountlock?', cli_name='disabled', default=False)
 option: Str('ou?', cli_name='orgunit')
 option: Str('pager*')
 option: Str('postalcode?')
@@ -6052,7 +6052,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
 option: Str('not_in_role*', cli_name='not_in_roles')
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
 option: Str('ou?', autofill=False, cli_name='orgunit')
 option: Str('pager*', autofill=False)
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -6109,7 +6109,7 @@ option: Str('mail*', autofill=False, cli_name='email')
 option: Str('manager?', autofill=False)
 option: Str('mobile*', autofill=False)
 option: Flag('no_members', autofill=True, default=False)
-option: Bool('nsaccountlock?', autofill=False, cli_name='disabled')
+option: Bool('nsaccountlock?', autofill=False, cli_name='disabled', default=False)
 option: Str('ou?', autofill=False, cli_name='orgunit')
 option: Str('pager*', autofill=False)
 option: Str('postalcode?', autofill=False)
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index dbe3cbd28..35ad96f92 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1937,7 +1937,16 @@ class LDAPSearch(BaseLDAPCommand, crud.Search):
         """
         search_kw = self.args_options_2_entry(**options)
         search_kw['objectclass'] = self.obj.object_class
-        return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+        filters = []
+        for name, value in search_kw.items():
+            default = self.get_default_of(name, **options)
+            fltr = ldap.make_filter_from_attr(name, value, ldap.MATCH_ALL)
+            if default is not None and value == default:
+                fltr = ldap.combine_filters([fltr, '(!({}=*))'.format(name)])
+            filters.append(fltr)
+
+        return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
 
     def get_term_filter(self, ldap, term):
         """
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 9eab52196..948a19898 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -380,6 +380,7 @@ class user(baseuser):
     takes_params = baseuser.takes_params + (
         Bool('nsaccountlock?',
             cli_name=('disabled'),
+            default=False,
             label=_('Account disabled'),
         ),
         Bool('preserved?',
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 098163dc3..7393a2352 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -240,9 +240,6 @@ class TestFind(XMLRPC_test):
         result = command()
         user.check_find(result, pkey_only=True)
 
-    @pytest.mark.xfail(
-        reason="new users don't have set attribute nsaccountlock in LDAP, "
-               "thus this search doesn't return it in result")
     def test_find_enabled_user(self, user):
         """Test user-find --disabled=False with enabled user"""
         user.ensure_exists()