I’m trying to pass a variable to an Event Script. I have a script that executes when the Reset Fail Counter button is pressed for a token assigned to user. I see there are parameter check boxes that can be passed to the script, but the two user based parameters aren’t quite right. I’d like to pass the username of the account that the token is assigned to. The logged-in-user would work if we allowed users to reset their own fail counter, but we do not. I was hoping the --user parameter would work, but there is no user recorded when that is done.
So, is there a way to pass the username of the token owner to the script? If it helps, the event is “token_reset” and the condition is “token locked: false”.
Alternately, passing the token serial number when the “validate/check” event occurs would work. In that instance, though, it looks like only the username variable is passed, not the associated serial number of the token assigned to that username.
The event resets the serial number. The username for the token is not resolver (it also would take long).
You can have your script resolver the username (the owner) of the token.
That’s ultimately what I did, I found a work around that actually ends up being useful. Since the lockout event only called the username and the unlock event only called the serial, I have a script that runs when a user enrolls their token. That event processes both the serial and the user. When that event occurs, an ldapmodify is run that puts their serial number into their LDAP Description attribute. Then, when lock/unlock events occur, ldapsearches can pull the info I need.
Is that what you meant, or is there a way to script a query of the PrivacyIDEA DB? I did a mysqldump, but no big surprise that the only plain text references to tokens or users was in the audit table. If there is a way to script a bash query for that info, that might be useful for later scripts.