Description of problem: The ipa CLI find and show commands are inconsistent across the different objects. What is expected: <object>-find command would simply return CN and DN, right now some are return certain defined attributes. <object>-show command would return all necessary defined attributes. <object>-show --all command would return all defined attributes and objectclass Some find commands return defined attributes and some include objectclasses EXAMPLE: [root@jennyv2 jenny]# ipa group-find group1 dn: cn=group1,cn=groups,cn=accounts,dc=bos,dc=redhat,dc=com cn: group1 description: description objectclass: top objectclass: groupofnames objectclass: nestedGroup objectclass: ipaUserGroup It is not documented anywhere as to what attributes (per object type) should be returned with the show command. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Right now, both *-show and *-find: Without --all, return the most significant attributes for the object(s) being looked for (default_attributes). With --all, return all attributes except those explicitly hidden (all, but those in hidden_attributes). objectClass is hidden by default. Why? Because the goal was to hide LDAP internals from the user, who doesn't care about the underlying protocols. This behaviour can be overridden by using --raw: return the entry AS IS - no aliases, no explicitly hidden attributes, no DN conversions. Does that make sense? Or should we go back to --all means ALL (no explicitly hidden attributes)? Example of how it works now: # ./ipa user-show admin ---------- user-show: ---------- User: admin user id: admin last name: Administrator home directory: /home/admin login shell: /bin/bash # ./ipa user-show admin --raw ---------- user-show: ---------- dn: uid=admin,cn=users,cn=accounts,dc=pzuna uid: admin sn: Administrator homedirectory: /home/admin loginshell: /bin/bash # ./ipa user-show admin --all ---------- user-show: ---------- User: admin user id: admin full name: Administrator last name: Administrator home directory: /home/admin login shell: /bin/bash uid number: 999 gid number: 1001 gecos: Administrator kerberos principal: admin@PZUNA last password change: 20090904122852Z password expiration: 20091203122852Z member of groups: admins, group1 member of netgroups: ahojnet member of taskgroups: ahojtask # ./ipa user-show admin --all --raw ---------- user-show: ---------- dn: uid=admin,cn=users,cn=accounts,dc=pzuna uid: admin cn: Administrator sn: Administrator homedirectory: /home/admin loginshell: /bin/bash uidnumber: 999 gidnumber: 1001 gecos: Administrator krbprincipalname: admin@PZUNA krblastpwdchange: 20090904122852Z krbpasswordexpiration: 20091203122852Z memberof: cn=admins,cn=groups,cn=accounts,dc=pzuna memberof: ipauniqueid=e6f27dde-a416-11de-b3b5-54520012e7cb,cn=ng,cn=alt,dc=pzuna memberof: cn=ahojtask,cn=taskgroups,cn=accounts,dc=pzuna memberof: cn=group1,cn=groups,cn=accounts,dc=pzuna objectclass: top objectclass: person objectclass: posixaccount objectclass: krbprincipalaux objectclass: inetuser
Current approach seems reasonable if it is consistent across all objects. I think the bug is more about consistency. Pavel, are there any violations to the rules described above? If not and everything consistent I think we can close this bug. But if there is inconsistency to the described rule we need to fix it. Jenny do you agree?
I see this is modified, but no changes made? Should we just close this current release? I just double checked and the output now seems to be consistent. If there are any specific issues found, we can open bugs to address them.
I set it to modified so that you'd take another look at it to be sure it was working as expected. I suppose I could have left a message to that effect...
okay .. closing current release :)