Event Handler For Specific User(s) or IP(s)?


#1

Is there any way to create an event handler that will only fire if the action came from a specific IP or user? We are trying to whitelist users and IPs from certain events that occur.


#2

Hi,

currently there is no event handler condition for checking an IP but it shouldn’t be too difficult to implement.
Please note, that it is not always the real clients IP in the request but the one from the load-balancer, radius-server, etc.
Regards
Paul


#3

@droo would you mind creating a feature request at github:

We might enhance or also rework the event handler conditions one day.
(At least the list in the UI is too long :wink:


#4

If you’re adept at scripting and want to go this route, the event handler that calls a script allows you to pass the --user parameter to the script. You could maybe have the script do an IP check based on the user parameter that gets passed to it. It could check a database, or even a simple text file, and based on results, allow/deny log in. It might not work based on your specific requirements, but it’s worth looking in to just in case.


#5

Interesting idea. But currently the script in the event handler can not modify the result of the request.
But this would be an interesting aspect.
However, you could even write your own event handler.

But the problem is with the owncloud plugin - or the way owncloud allows to do a plugin.
If the plugin starts to communicate with privacyidea, this is already to late, owncloud would already have displayed any kind of “please do your 2FA” to the user.

So we need to adapt the owncloud plugin anyways!


#6

Ahh, you’re right, I wasn’t thinking about Event Handler not being able to do anything based on the script result. I have several scripts that use the user parameter, but they do all the work in the background, they just need Event Handler to fire them off under certain circumstances, then they do the rest. They don’t circle back and provide Event Handler with info to base a decision off of.


#7

Added an idea issue for tracking: