In this section
•Adding sections for new data sources
The component uses configuration parameters specified in the [LookupD] section of the unified configuration file of Dr.Web Mail Security Suite.
The section contains the following parameters:
Parameter |
Description |
||
|---|---|---|---|
LogLevel {logging level} |
Logging level of the component. If a parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used. Default value: Notice |
||
Log {log type} |
Logging method of the component. Default value: Auto |
||
ExePath {path to file} |
Component executable path. Default value: •for GNU/Linux: /opt/drweb.com/bin/drweb-lookupd •for FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-lookupd |
||
RunAsUser {UID | user name} |
User on behalf of whom the component is started. Either a numerical UID of the user or a user name (login) can be specified. If the user name consists of numbers (that is, the name is similar to a numerical UID), it must be specified with the name: prefix, for example, RunAsUser = name:123456. If the user name is not specified, the component shuts down with an error upon startup. Default value: drweb |
||
IdleTimeLimit {time interval} |
Maximum idle time for the component. When the specified period of time expires, the component shuts down. Allowed values: from 10 seconds (10s) to 30 days (30d). Default value: 10m |
||
DebugLibldap {boolean} |
Log or do not log debug messages of the libldap library at the debug level (with LogLevel = DEBUG). Default value: No |
||
LdapCheckCertificate {No | Allow | Try | Yes} |
The mode of certificate verification for LDAP connections via SSL/TLS. Allowed values: •No—never request a server certificate. •Allow—request the server certificate. If the certificate is not provided, the session will continue normally. If the server certificate is provided but cannot be verified (the corresponding root certificate was not found), the server certificate will be ignored and the session will continue normally. •Try—request the server certificate. If the certificate is not provided, the session will continue normally. If the server certificate is provided but cannot be verified (the corresponding root certificate was not found), the session will be terminated. •Yes—request the server certificate. If the certificate is not provided or cannot be verified (the corresponding root certificate was not found), the session will be terminated. For LDAP data sources this certificate verification mode influences the way the URL is processed when the ldaps:// scheme or the StartTLS extension is used. For AD data sources it influences the server connection, if UseSSL=Yes is specified in the corresponding section (see below). Default value: Yes |
||
LdapCertificatePath {path to file} |
Path to the SSL certificate used for secure connection to LDAP servers (Active Directory) via SSL/TLS.
Default value: (not specified) |
||
LdapKeyPath {path to file} |
Path to the private key used for secure connection to LDAP servers (Active Directory) via SSL/TLS.
Default value: (not specified) |
||
LdapCaPath {path} |
Path to the directory or file with a list of root certificates which are trusted for sharing data using the LDAP protocol via SSL/TLS. Default value: <path to the system list of trusted certificates>. The path depends on your GNU/Linux distribution. •For Astra Linux, Debian, Linux Mint, SUSE Linux and Ubuntu this is usually the path /etc/ssl/certs/. •For CentOS and Fedora—the path /etc/pki/tls/certs/ca-bundle.crt. •For other distributions, the path can be determined by running the openssl version -d command. •If the command is unavailable or your OS distribution cannot be identified, the /etc/ssl/certs/ value is used. |
||
DbIdleTimeout {time interval} |
The timeout period at the end of which an established connection to a Redis database will be closed if it is idle. Default value: 5m |
||
MysqlDefaultConn {URL} |
URI that defines default parameters for connecting to a MySQL database. Allowed values: •tcp://[<user>[:<password>]@][<host>][:<port>][/<database name>][?<parameter>=<value>[&…]]; •unix://[<user>[:<password>]@]<socket path>[:<database name>][?<parameter>=<value>[&…]].
Default value: (not specified) |
||
PqDefaultConn {URL} |
URI that defines default parameters for connecting to a PostgreSQL database. Allowed values: •tcp://[<user>[:<password>]@][<host>][:<port>][/<database name>][?<parameter>=<value>[&…]]; •unix://[<user>[:<password>]@]<socket path>[:<database name>][?<parameter>=<value>[&…]].
Default value: (not specified) |
||
SqliteDefaultConn {path to file} |
Path to a default SQLite database file (specify the file:// scheme prefix). Default value: (not specified) |
||
RedisDefaultConn {URL} |
URL that defines default parameters for connecting to a Redis database. Allowed values: •tcp://[<password>@][<host>][:<port>][/<database index>]; •unix://[<password>@]<socket path>[:<database index>].
Default value: (not specified) |
||
RedisCaPath {path to file} |
Path to the directory or file with a list of root certificates that are trusted for sharing data with a Redis database via SSL/TLS. Default value: <path to the system list of trusted certificates>. The path depends on your GNU/Linux distribution. •For Astra Linux, Debian, Linux Mint, SUSE Linux and Ubuntu this is usually the path /etc/ssl/certs/. •For CentOS and Fedora—the path /etc/pki/tls/certs/ca-bundle.crt. •For other distributions, the path can be determined by running the openssl version -d command. •If the command is unavailable or your OS distribution cannot be identified, the /etc/ssl/certs/ value is used. |
||
RedisCertificatePath {path to file} |
Path to the SSL certificate used for secure connection to a Redis database via SSL/TLS.
Default value: (not specified) |
||
RedisKeyPath {path to file} |
Path to the private key used for secure connection to a Redis database via SSL/TLS.
Default value: (not specified) |
URI requirements for database connection
1.Only the tcp:// and unix:// scheme prefixes (for local UNIX sockets) are used. Database-specific prefixes, such as postgresql:// or mysql://, are not supported. Path to an SQLite database file is specified with the file:// scheme prefix.
2.If the <host> field is not specified in the URI or the localhost host is specified, the 127.0.0.1 host address is substituted. In this case by default the connection to MySQL and PostgreSQL databases is established using a local UNIX socket despite that a network connection is specified.
3.If URI fields (such as <user>, <password>, <database name> and so on) or the connection parameter string contain special characters (a space, a colon and so on), use hex coding, for example:
▫space—%20;
▫:—%3A;
▫/—%2F;
▫@—%40;
▫%—%25.
4.For MySQL, the connection parameter string can include only the following parameters:
Parameter name |
Convention in database documentation |
Type |
Description |
|---|---|---|---|
init |
MYSQL_INIT_COMMAND |
String |
An SQL command to be run after connecting to the database |
compression |
MYSQL_OPT_COMPRESS |
Boolean |
Compress or do not compress data in transit |
connect-timeout |
MYSQL_OPT_CONNECT_TIMEOUT |
Integer |
Time-out for disconnecting an unused connection in seconds |
reconnect |
MYSQL_OPT_RECONNECT |
Boolean |
Allow or deny automatic reconnection |
read-timeout |
MYSQL_OPT_READ_TIMEOUT |
Integer |
Time-out for receiving packets from the server in seconds |
write-timeout |
MYSQL_OPT_WRITE_TIMEOUT |
Integer |
Time-out for sending packets to the server in seconds |
charset |
MYSQL_SET_CHARSET_NAME |
String |
Character encoding used for the default connection |
plugin-dir |
MYSQL_PLUGIN_DIR |
String |
Path to the server directory storing plug-ins |
nonblock |
MYSQL_OPT_NONBLOCK |
Integer |
Stack size for non-blocking I/O operations |
ssl-key |
MYSQL_OPT_SSL_KEY |
String |
Path to a private key (in the PEM format) used to establish a secure connection |
ssl-cert |
MYSQL_OPT_SSL_CERT |
String |
Path to a public key certificate (in the PEM format) used to establish a secure connection |
ssl-ca |
MYSQL_OPT_SSL_CA |
String |
Path to a file (in the PEM format) containing trusted CA certificates |
ssl-capath |
MYSQL_OPT_SSL_CAPATH |
String |
Path to a directory containing trusted CA certificates (in the PEM format) |
ssl-cipher |
MYSQL_OPT_SSL_CIPHER |
String |
List of supported encryption algorithms for a secure connection |
ssl-crl |
MYSQL_OPT_SSL_CRL |
String |
Path to a file (in the PEM format) containing revoked certificates |
ssl-crlpath |
MYSQL_OPT_SSL_CRLPATH |
String |
Path to a directory containing revoked certificates (in the PEM format) |
ssl-fp |
MARIADB_OPT_SSL_FP |
String |
SHA1 hash of a trusted server certificate |
ssl-fp-list |
MARIADB_OPT_SSL_FP_LIST |
String |
Path to a file containing SHA1 hashes of tursted server certificates |
tls-passphrase |
MARIADB_OPT_TLS_PASSPHRASE |
String |
Password for a password-protected client private key |
tls-version |
MARIADB_OPT_TLS_VERSION |
String |
List of supported TLS versions |
server-verify-cert |
MYSQL_OPT_SSL_VERIFY_SERVER_CERT |
Boolean |
Allow or deny verification of server certificates |
server-public-key-path |
MYSQL_SERVER_PUBLIC_KEY |
String |
Path to a file (in the PEM format) containing an RSA public key of the server |
Read more on these parameters in the database documentation: https://mariadb.com/kb/en/mysql_optionsv/.
5.For the PostgreSQL database also refer to https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS.
In addition to the general section [LookupD], the configuration file also contains sections that describe connections to data sources (one section for each connection). These sections are named using the following scheme: [LookupD.<type>.<name>], where:
•<type>—connection type:
▫LDAP—for a directory service using LDAP;
▫AD—for a directory service using Active Directory;
▫AllMatch—for a text file in the AllMatch mode (full match);
▫Mask—for a text file in the Mask mode (mask matching);
▫Regex—for a text file in the Regex mode (matching a regular expression in the PCRE standard);
▫Cidr—for a text file in the Cidr mode (matching IP addresses and/or ranges);
▫Pq—for a PostgreSQL database;
▫Mysql—for a MySQL database;
▫Sqlite—for an SQLite database;
▫Redis—for a Redis database.
•<name>—a unique identifier (tag) for the connection, by which the connection can be referred to from the rules.
Example: [LookupD.LDAP.auth1].
Connection-specific sections comprise a set of parameters depending on a source type. The number of sections is unlimited.
1.Parameters used in LDAP sections
Parameter |
Description |
||
Url {string} |
URL that defines the used LDAP server and extracted data. In accordance with RFC 4516, the URL is constructed on the basis of the following scheme: <scheme>://<host>[:<port>]/<dn>[?<attrs>[?<scope>[?<filter>[?<extensions>]]]] Where: <scheme>—method of connection to the server (the following schemes are allowed: ldap, ldaps and ldapi); <host>[:<port>]—LDAP server address at which the request is sent; <dn>—distinguished name of an object, information about which is received; <attrs>—names of record attributes, the values of which must be received in the request; <scope>—search scope (base, one, sub); <filter><filter>—filtering condition for the values of extracted attributes; <extensions>—list of LDAP extensions used in the request. Features •In the list of attributes <attrs>, it is possible to use special selection characters *, + and 1.1. •The following automatically resolved markers can be used in the <dn> and <filter> parts of the URLs: ▫$u is automatically replaced with user—the user name sent by a client component; ▫$d is automatically replaced with domain—the domain sent by the client component; ▫$D—a chain of <subdomain>.<domain> transformed into dc=<subdomain>,dc=<domain>; ▫$$—the $ character. •If the <filter> condition requires using special characters (for example: *, (, ), \, the character with code 0) as usual ones, they should be formatted as \XX. In addition, special characters in LDAP URLs are encoded using %XX sequences. For example, when using the / character in a URL in the ldapi scheme as a part of the path to a local LDAP server socket, this character is encoded as %2f. •As allowed extensions in <extensions>, only StartTLS and 1.3.6.1.4.1.1466.20037 are supported, they use TLS (i.e. a secure connection with an LDAP server is established, even if the use of the ldaps secure scheme is not explicitly indicated). If the name of the used extension is preceded by the ! character, then the use of TLS is required, i.e. in case it is impossible to establish a secure connection, the request will not be performed. Otherwise, the request will be performed even if a secure connection is not established.
Examples: ldaps://ds.example.com:990/$D?givenName,sn,cn?sub?(uid=$u) Default value: (not specified) |
||
BindDn {string} |
An object in the LDAP directory to which the user is bound to get authorization. Example: cn=admin,dc=nodomain Default value: (not specified) |
||
BindPassword {string} |
The password for authentication on the LDAP server. Default value: (not specified) |
||
ChaseReferrals {boolean} |
Follow or do not follow references to other LDAP servers, if the current LDAP server returns them in response to requests. Default value: No |
2.Parameters used in AD sections
Parameter |
Description |
Host {string} |
Domain name (FQDN) or IP address of a host running the server of the Active Directory service to be connected to. Example: win2012.win.local Default value: (not specified) |
Port {integer} |
Port on the host which is listened to by the server of the Active Directory service. Default value: 389 |
Dn {string} |
DN of an object in the Active Directory (similar to the dn part of the LDAP URL). Example: dc=win,dc=local Default value: (not specified) |
User {string} |
Full identifier of a user on the server. Example: Administrator@WIN.LOCAL Default value: (not specified) |
Password {string} |
The password for authentication on the Active Directory server. Default value: (not specified) |
ChaseReferrals {boolean} |
Follow or do not follow references to other LDAP servers, if the current Active Directory server returns them in response to requests. Default value: No |
UseSSL {boolean} |
Use or do not use SSL/TLS for connecting to an Active Directory server. Default value: No |
3.Parameters used in AllMatch, Mask, Regex, and Cidr sections
Parameter |
Description |
File {path} |
Path to a text file containing search strings. Example: /etc/file1 Default value: (not specified) |
Features
•Strings from a file specified in the section of the AllMatch type are used in a case-insensitive search to find a full match.
•Strings of a file specified in the section of the Mask type are treated as masks (wildcards). Masks can be considered a simplified version of regular expressions containing special characters besides standard ones. Comparing the strings with the masks is case-insensitive. Masks can contain the following special characters and expressions:
*—any character sequence;
?—any character;
[<character set>]—any character from the set (for example, [bac]);
[!<character set>]—any character that does not match any character from the set (for example, [!cab]);
[[:<class>:]]—any character from the provided POSIX character class (alnum, alpha, ascii, blank, cntrl, digit, graph, lower, print, punct, space, upper, xdigit).
A mask matching some substring must cover a search substring surrounded by * characters (e.g., *host*). If you need to specify one of special characters, you need to escape such character with the backslash: \[, \], \*, \?. If needed, the backslash can be escaped as well: \\. There is no need to escape any other characters, e.g. the \a\b\c\*\d\?\\ string will be converted to the abc*d?\ string. Examples of masks:
#Matches the name string exactly #Matches three-character strings where #Matches strings user, users, us3rr, ussr1 and so on #Matches strings .con, file.col, 3...co! and so on #Matches any string containing the host part, |
•Strings from a file specified in the section of the Regex type are interpreted as PCREs (Perl Compatible Regular Expressions). Matching strings with regular expressions is done case-insensitively. Examples of regular expressions:
#IPv4 #Email address in the .com domain |
•Strings from a file specified in the section of the Cidr type are interpreted as IP addresses or IP address ranges. Both IPv4 and IPv6 formats for IP addresses as well as address ranges are allowed. A subnet mask can be specified in the bit (octet) format, as well as in the CIDR (Classless Inter-Domain Routing) notation, for example:
#IPv4 #IPv6 |
4.Parameters used in the Pq, Mysql and Sqlite sections
Parameter |
Description |
||
Conn {string} |
Database connection string. Allowed values: •for the Mysql (MySQL) and Pq (PostgreSQL) sections: tcp://[<user>[:<password>]@]<host>[:<port>][/<database name>][?<parameter>=<value>[&…]]; unix://[<user>[:<password>]@]<socket path>[:<database name>][?<parameter>=<value>[&…]]; Examples: tcp://user:pwd@localhost:1234/userdb unix://user:pwd@/tmp/pgsql.sock:userdb
•for the Sqlite (SQLite) section: Path to a database file (specify the file:// scheme prefix). Example: file:///home/user/users.db Default value: defined by the corresponding *DefaultConn parameter value |
||
Request {string} |
String of an SQL query (SELECT) to the database. Like with AD and LDAP sources, the following automatically resolved markers can be used in the query: •$u, $U are replaced with user—the user name sent by a client component; •$d, $D are replaced with domain—the domain sent by the client component; •$$ is replaced with the $ character. Example: SELECT username FROM users INNER JOIN domains ON users.domain = domains.id WHERE domains.name = $d AND users.name = $u Default value: (not specified) |
|
Only the query of the SELECT type can be specified as an SQL query. After making substitutions, the query is passed to the database “as is”. If the query result contains more than one column, then all columns except the first will be ignored. |
5.Parameters used in Redis sections
Parameter |
Description |
||
Conn {string} |
Redis database connection string. Allowed values: •tcp://[<password>@]<host>[:<port>][/<database index>]; •unix://[<password>@]<socket path>[:<database index>];
Example: tcp://localhost:6379 Default value: defined by the RedisDefaultConn parameter value |
||
Request {string} |
Redis database query string. The following automatically resolved markers can be used in the query: •$u, $U are replaced with user—the user name sent by a client component; •$d, $D are replaced with domain—the domain sent by the client component; •$$ is replaced with the $ character. Example: HVALS bad_users Default value: (not specified) |
||
UseSSL {boolean} |
Use or do not use SSL/TLS for connecting to a Redis database. Default value: No |
|
If the query result contains more than one column, then all columns except the first will be ignored. |
Adding sections for new data sources
To add a new section for a data source of some type with a <name> tag using the Dr.Web Ctl command-line management tool for Dr.Web Mail Security Suite (run with the drweb-ctl command), it is sufficient to use the following command:
# drweb-ctl cfset LookupD.<type> -a <name> |
Example:
# drweb-ctl cfset LookupD.AD -a WinAD1 |
The first command will add a section named [LookupD.AD.WinAD1] to the configuration file, and the second command will modify the value of the Host parameter within this section.
Alternatively, you can write the new section directly to the configuration file (for example, by adding it to the end of the file):
[LookupD.AD.WinAD1] |
|
Both ways have the same effect; however, if you edit the configuration file directly, you will also need to apply the changed settings by reloading the configuration of Dr.Web Mail Security Suite with the command:
|