In this section
•Adding sections for new data sources
The component uses configuration parameters which can be found in the [LookupD] section of the integrated configuration file of Dr.Web for UNIX Mail Servers.
The section contains the following parameters:
Parameter |
Description |
|---|---|
LogLevel {logging level} |
Logging level of the component. If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used. Default value: Notice |
Log {log type} |
Logging method of the component. Default value: Auto |
ExePath {path to file} |
Executable path to the component. Default value: <opt_dir>/bin/drweb-lookupd. •For GNU/Linux: /opt/drweb.com/bin/drweb-lookupd. •For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-lookupd |
RunAsUser {UID | user name} |
The parameter determines under which user name the component should be run. The user name can be specified either as the user’s number UID or as the user’s login. If the user name consists of numbers (i.e. similar to number UID), it is specified with the “name:” prefix, for example: RunAsUser = name:123456. When a user name is not specified, the component operation terminates with an error after the startup. Default value: drweb |
IdleTimeLimit {time interval} |
Maximum idle time for the component. When the specified period of time expires, the component shuts down. Acceptable values: from 10 seconds (10s) to 30 days (30d) inclusive. Default value: 30s |
DebugLibldap {Boolean} |
Indicates whether debug messages of the libldap library are also included into the log file on the debug level (i.e. when LogLevel = DEBUG). Default value: No |
LdapCheckCertificate {No | Allow | Try | Yes} |
The mode of certificate verification for LDAP connections via SSL/TLS. Allowed values: •No—do not request the server certificate; •Allow—request the server certificate. If the certificate is not provided, the session will continue in its normal way. If the server certificate is provided but cannot be scanned (it is impossible to find the corresponding root certificate), the certificate will be ignored and the session keeps running in its normal way; •Try—request the server certificate. If the certificate is not provided, the will continue in its normal way. If the server certificate is provided but cannot be checked (it is impossible to find the corresponding root certificate), the session will be terminated; •Yes—request the server certificate. If the certificate is not provided or cannot be scanned (it is impossible to find the corresponding root certificate), the session is terminated. For LDAP data sources this certificate verification mode influences the way the URL is processed when the ldaps:// scheme or the StartTLS extension is used; and for AD data sources it will influence connections to the server, if UseSSL=Yes has been specified in the corresponding section (see below). Default value: Yes |
LdapCertificatePath {path to file} |
Path to the SSL certificate used for connection to the LDAP servers (Active Directory) via a secure SSL/TLS connection. Please note that the certificate file and the private key file (which is specified by a parameter described below) must form a matching pair. Default value: (not set) |
LdapKeyPath {path to file} |
Path to the private key used for connection to the LDAP servers (Active Directory) via a secure SSL/TLS connection. Please note that the certificate file and the private key file (which is specified by the mentioned parameter) must form a matching pair. Default value: (not set) |
LdapCaPath {path} |
Path to the directory or file with system list of trusted root certificates which are trusted for sharing data through the LDAP protocol via SSL/TLS. Default value: <path to the list of trusted certificates>. The path depends on your GNU/Linux distribution. •For Astra Linux, Debian, Linux Mint, SUSE Linux and Ubuntu, usually it is a path /etc/ssl/certs/. •For CentOS and Fedora—a path /etc/pki/tls/certs/ca-bundle.crt. •For other distributions a path can be defined through results of execution of the command openssl version -d. •If a command is unavailable or an OS distribution could not be identified, the value /etc/ssl/certs/ is used. |
DbIdleTimeout {time interval} |
The time-out period at the end of which the established connection to the database (or the Redis storage) will be broken if it is idle. Default value: 5m |
MysqlDefaultConn {URL} |
The URI that sets the parameters for connecting to the MySQL database by default. Allowed values: •tcp://[<user>[:<password>]@][<host>][:<port>][/<database name>][?<parameter>=<value>[&…]]; •unix://[<user>[:<password>]@]<path to socket>[:<database name>][?<parameter>=<value>[&…]]. Note the URI requirements. Default value: (not set) |
PqDefaultConn {URL} |
The URI that sets the parameters for connecting to the PostgreSQL database by default. Allowed values: •tcp://[<user>[:<password>]@][<host>][:<port>][/<database name>][?<parameter>=<value>[&…]]; •unix://[<user>[:<password>]@]<path to socket>[:<database name>][?<parameter>=<value>[&…]]. Note the URI requirements. Default value: (not set) |
SqliteDefaultConn {path to file} |
Path to a default SQLite database file (specify the file:// scheme prefix). Default value: (not set) |
RedisDefaultConn {URL} |
The URL that sets the connection parameters for the Redis database by default. Allowed values: •tcp://[<password>@][<host>][:<port>][/<database index>]; •unix://[<password>@]<socket path>[:<database index>]. Note the URI requirements. Default value: (not set) |
URI requirements for database connection
1.Use only the tcp: and unix: scheme prefixes (for local UNIX sockets). database-specific prefixes (such as postgresql: and mysql:) are not supported. Path to a SQLite database file is specified with the file:// scheme prefix.
2.If the <host> field is not specified in URI or the localhost host is specified, the 127.0.0.1 host address is substituted. In this case for the MySQL and PostgreSQL databases, the connection is established by default via a local UNIX socket in spite that a network connection is specified.
3.If URI fields (such as <user>, <password>, <database name>, and so on) or the connection-parameters string contain special characters (space, column, and so on), use hex coding, for example:
▫space—"%20";
▫':'—"%3A";
▫'/'—"%2F";
▫'@'—"%40";
▫'%'—"%25".
4.For MySQL, the connection parameter string can only include the following parameters:
Parameter name |
Convention in database documents |
Type |
Description |
|---|---|---|---|
init |
MYSQL_INIT_COMMAND |
String |
A SQL command to be executed after connecting to the database |
compression |
MYSQL_OPT_COMPRESS |
Logical |
Use data compression |
connect-timeout |
MYSQL_OPT_CONNECT_TIMEOUT |
Integer |
Time-out for disconnecting an unused connection in seconds |
reconnect |
MYSQL_OPT_RECONNECT |
Logical |
Allow or deny automatic reconnection |
read-timeout |
MYSQL_OPT_READ_TIMEOUT |
Integer |
Time-out for receiving packets from server in seconds |
write-timeout |
MYSQL_OPT_WRITE_TIMEOUT |
Integer |
Time-out for sending packets to the server in seconds |
charset |
MYSQL_SET_CHARSET_NAME |
String |
Name of the character encoding used for the default connection |
plugin-dir |
MYSQL_PLUGIN_DIR |
String |
Path to the directory on the server storing the plug-ins |
nonblock |
MYSQL_OPT_NONBLOCK |
Integer |
Stack size for non-blocking I/O operations |
ssl-key |
MYSQL_OPT_SSL_KEY |
String |
Path to the private key (in PEM format) used to establish a secure connection |
ssl-cert |
MYSQL_OPT_SSL_CERT |
String |
Path to the public key certificate (in PEM format) used to establish a secure connection |
ssl-ca |
MYSQL_OPT_SSL_CA |
String |
Path to the file (in PEM format) containing trusted CA certificates |
ssl-capath |
MYSQL_OPT_SSL_CAPATH |
String |
Path to the directory containing trusted CA certificates (in PEM format) |
ssl-cipher |
MYSQL_OPT_SSL_CIPHER |
String |
List of supported encryption algorithms for secure connection |
ssl-crl |
MYSQL_OPT_SSL_CRL |
String |
Path to the file (in PEM format) containing revoked certificates |
ssl-crlpath |
MYSQL_OPT_SSL_CRLPATH |
String |
Path to the directory containing revoked certificates (in PEM format) |
ssl-fp |
MARIADB_OPT_SSL_FP |
String |
the SHA1 hash of the valid server certificate |
ssl-fp-list |
MARIADB_OPT_SSL_FP_LIST |
String |
Path to the file containing the SHA1 hashes of valid server certificates |
tls-passphrase |
MARIADB_OPT_TLS_PASSPHRASE |
String |
Password for the password-protected client private key |
tls-version |
MARIADB_OPT_TLS_VERSION |
String |
List of supported TLS versions |
server-verify-cert |
MYSQL_OPT_SSL_VERIFY_SERVER_CERT |
Logical |
Allow or deny verification of server certificates |
server-public-key-path |
MYSQL_SERVER_PUBLIC_KEY |
String |
Path to the file (in PEM format) containing the RSA server public key |
Read more on these parameters in the documents to the database: https://mariadb.com/kb/en/mysql_optionsv/.
5.For the PostgreSQL database also refer to https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS.
In addition to the general section [LookupD], the configuration file also contains sections that describe connections to data sources (one section for each connection). These sections are named using the following scheme: [LookupD.<type>.<name>], where:
•<type>—connection type:
▫LDAP—for directory service that uses LDAP;
▫AD—Active Directory service;
▫AllMatch—for text file in the AllMatch mode (full identity);
▫Mask—for text file in the Mask mode (mask identity);
▫Regex—for text file in the Regex mode (identity to a regular expression in PCRE standard);
▫Cidr—for text file in the Cidr mode (IP addresses or IP address ranges identity);
▫Pq—for the PostgreSQL database;
▫Mysql—for the MySQL database;
▫Sqlite—for the SQLite database;
▫Redis—for the Redis database;
•<name>—is a unique identifier (tag) for the connection, by which the connection can be referred to from the rules.
For example: [LookupD.LDAP.auth1]. The set of parameters that are included inside the section of a data source depends on the type of connection. There is no restriction on the number of data source sections.
1.Parameters used in sections of LDAP type
Parameter |
Description |
||
Url {string} |
URL that defines the used LDAP server and extracted data. According to RFC 4516, URL is built on the basis of the following scheme: <scheme>://<host>[:<port>]/<dn>[?<attrs>[?<scope>[?<filter>[?<extensions>]]]] Where: <scheme>—method of connection to the server (the following schemes are allowed: ldap, ldaps and ldapi); <host>[:<port>]—LDAP server address that receives a request; <dn>—distinguished name of an object. Information on this object has been sent; <attrs>—names of the record attributes, the values of which must be received in the request; <scope>—search scope (base, one, sub); <filter>—filtering condition for values of extracted attributes; <extensions>—list of LDAP extensions used in the request. Features •In the list of attributes <attrs>, it is possible to use special characters of choice '*', '+' and '1.1'. •The following automatically resolved placeholders can be used in the <dn> and <filter> parts of the URL: ▫$u is automatically replaced with user, the user name, sent by the client component; ▫$d is automatically replaced with domain, the domain, sent by the client component; ▫$D—chain <subdomain>.<domain>, modified into dc=<subdomain>,dc=<domain>; ▫$$—an '$' character. •If the condition <filter> requires usage of special characters (for example: '*', '(', ')', '\', character with code 0) as usual ones, they should be written as \XX. Besides, special characters in URL LDAP are encoded using sequences %XX. For example, when using URL according to the scheme ldapi of the character '/' as a part of the path to the local LDAP server socket, this character is encoded as %2f. •As allowed extensions in <extensions>, only StartTLS and 1.3.6.1.4.1.1466.20037 are supported, they include usage of the TLS mechanism (i.e. establishment of the protected connection with the LDAP server, even if it does not explicitly indicate usage of the protected scheme ldaps) If the name of the used extension is preceded by the character '!', then usage of TLS is required, i.e. in case the establishment of the secure connection is impossible, the request will not be handled. Otherwise, the request will be handled even if the secure connection is not established.
Examples: "ldaps://ds.example.com:990/$D?givenName,sn,cn?sub?(uid=$u)" Default value: (not set) |
||
BindDn {string} |
An object in the LDAP directory to which the user is bound to get authorization. Example: "cn=admin,dc=nodomain". Default value: (not set) |
||
BindPassword {string} |
The user’s password for authentication on the LDAP server. Default value: (not set) |
||
ChaseReferrals {Boolean} |
Instructs the component to follow references to other LDAP servers, if the current LDAP server returns them as a reply to the request. Default value: No |
2.Parameters used in sections of AD type
Parameter |
Description |
Host {string} |
The domain name (FQDN) or the IP address of the host on which the server of the Active Directory service that you would like to connect to is running. Example: "win2012.win.local". Default value: (not set) |
Port {integer} |
Port on the host which is listened to by the server of the Active Directory service. Default value: 389 |
Dn {string} |
DN of an object in the Active Directory; it is similar to the dn part of an LDAP URL. Example: "dc=win,dc=local". Default value: (not set) |
User {string} |
The full identifier of a user on the server, to be used for identification. Example: "Administrator@WIN.LOCAL". Default value: (not set) |
Password {string} |
Password of the user for authentication on the Active Directory server. Default value: (not set) |
ChaseReferrals {Boolean} |
Instructs the component to follow references to other LDAP servers, if the current Active Directory server returns them as a reply to the request. Default value: No |
UseSSL {Boolean} |
Instructs to use SSL/TLS for connecting to the Active Directory. Default value: No |
3.Section parameters of AllMatch, Mask, Regex, Cidr types
Parameter |
Description |
File {path} |
Path to a text file containing search strings. Example: "/etc/file1". Default value: (not set) |
Features
•Strings from a file, specified in a section of AllMatch type, are used for the case-insensitive search for the exact string match.
•Strings of a file, specified in a section of the Mask type, are considered as masks (wildcards). Masks can be considered as a simplified version of regular expressions that contain standard and special characters. Matching the strings with the masks is implemented case-insensitively. Masks can contain the following special characters and expressions:
*—any character sequence;
?—any one symbol;
[<character set>]—a character from the set (for example, [bac]);
[<character set>]—a character that does not match any symbol from the set (for example, [!cab]);
[[:<class>:]]—a character from the POSIX class of characters (alnum, alpha, ascii, blank, cntrl, digit, graph, lower, print, punct, space, upper, xdigit).
A mask that matches a substring must contain the substring surrounded by the “*” symbols (e.g., *host*). If you need to specify one of the special characters, you need to escape character with the backslash: \[, \], \*, \?. If needed, the backslash can be escaped as well: \\. Escape of any other characters does not make any sense, e.g. the string \a\b\c\*\d\?\\ will be converted to the abc*d?\ string. Mask examples:
#Matches the “name” string exactly #Matches the three-character strings where #Matches the strings: “user”, “users”, “us3rr”, “ussr1”, and so on #Matches the strings: “.con”, “file.col”, “3...co!”, and so on #Matches any string that contains “host”, |
•Strings from file, specified in section of the Regex type, are interpreted as PCRE (Perl Compatible Regular Expressions) regular extensions. Matching the strings with the regular expressions is implemented case-insensitively. Examples of regular expressions:
#IPv4 #Email address in the .com domain |
•Strings from file, specified in section of the Cidr type, are interpreted as IP addresses or IP address ranges. IPv4 and IPv6 formats for IP addresses as well as IP address ranges are allowed. The subnet mask can be specified in bit (octet) format, as well as in CIDR (Classless Inter-Domain Routing) notation. For example:
#IPv4 #IPv6 |
4.Parameters used in sections of the Pq, Mysql, Sqlite type
Conn {string} |
Database connection string. Allowed values: •for the Mysql (MySQL), Pq (PostgreSQL) section: tcp://[<user>[:<password>]@]<host>[:<port>][/<database name>][?<parameter>=<value>[&…]] unix://[<user>[:<password>]@]<path to socket>[:<database name>][?<parameter>=<value>[&…]] Example: "tcp://user:pwd@localhost:1234/userdb", "unix://user:pwd@/tmp/pgsql.sock:userdb" Note the URI requirements. •for the Sqlite (SQLite) section: Path to a database file (specify the file:// scheme prefix). Example: "file:///home/user/users.db" Default value: defined by the corresponding *DefaultConn parameter value |
Request {string} |
SQL query string (SELECT) to a database. As for sources of AD and LDAP types, in query, the following automatically permitted markers can be used: •$u, $U is automatically replaced with user, the user name sent by the client component; •$d, $D is automatically replaced with domain, the domain sent by the client component; •$$ is replaced with '$' character. Example: "SELECT username FROM users INNER JOIN domains ON users.domain = domains.id WHERE domains.name = $d AND users.name = $u" Default value: (not set) |
|
As an SQL query, only query of the SELECT type can be specified. After implementing the substitutions, the query is transmitted to the database “as is”. If the query result contains more than one column, then all columns except the first one will be ignored. |
5.Parameters used in sections of the Redis type
Conn {string} |
Connection string with the Redis data storage. Allowed values: •tcp://[<password>@]<host>[:<port>][/<database index>] •unix://[<password>@]<socket path>[:<database index>] Note the URI requirements. Example: "tcp://localhost:6379" Default value: defined by RedisDefaultConn parameter value |
Request {string} |
Redis storage query string. In query, the following automatically permitted markers can be used: •$u, $U is automatically replaced with user, the user name sent by the client component; •$d, $D is automatically replaced with domain, the domain sent by the client component; •$$ is replaced with '$' character. Example: "HVALS bad_users" Default value: (not set) |
|
If the query result contains more than one column, then all columns except the first one will be ignored. |
Adding sections for new data sources
To add a new section for a new data source of a supported type with a <name> tag with the help of the Dr.Web Ctl command-line-based management tool for Dr.Web for UNIX Mail Servers (accessed with the drweb-ctl command), it is necessary to use the following command:
# drweb-ctl cfset LookupD.<type> -a <name> |
Example:
# drweb-ctl cfset LookupD.AD -a WinAD1 |
The first command will add a section named [LookupD.AD.WinAD1] into the configuration file, and the second command will modify the value of the Host parameter within this section.
Alternatively, you can write the new section directly into the configuration file, for example, by adding it to the end of the file:
[LookupD.AD.WinAD1] |
|
Both ways have an equal effect. But if you edit the configuration file, you will also need to apply the changed settings by sending a SIGHUP signal to the drweb-configd component. To do that, you can run the following command:
|