You receive several policy server notifications that IMSVA is unable to connect to the LDAP server with the following subject:
Policy Server can not connect to LDAP server for user and group querying, rule matching stop.
You are concerned that configured policies are not being applied to the mail because of this failed connection to the LDAP server.
Once the IMSVA policy server starts, it will create an LDAP connection pool. If the policy server needs to query the LDAP server, it will use one LDAP connection and return it to the pool afterwards.
If the following events occur during the process, IMSVA will not be able to query the LDAP server and a notification will be sent every three minutes:
- LDAP connections are reset.
- LDAP server is temporarily unavailable.
- IMSVA queries the LDAP server and connection times out.
However, the appropriate rules will still be applied to emails because an LDAP cache is stored in IMSVA. The email processing will not stop.
To verify if policies were applied
Run tcpdump on the IMSVA server and limit the capture to the LDAP server only. When the customer receives an email notification, stop tcpdump and check the actual event between the LDAP server and IMSVA.
For further analysis, collect the imss.mgr and log.imss debug logs. For the procedure, refer to this KB article: Debugging the InterScan Messaging Virtual Appliance (IMSVA) 7.0 application.
To decrease the number of policy notifications received
Increase the time interval between notifications so that IMSVA will not notify multiple times for a single event:
- Go to the /opt/trend/imss/config folder and open the imss.ini file.
- Add the following:
Increase the time interval by replacing the default value “3” with a higher value.
- Save the changes and close the file.
- Restart the /opt/trend/imss/S99POLICY script by running the following command:
# /opt/trend/imss/S99POLICY restart
To disable LDAP lookup
While IMSVA 8.0 and later are somewhat smarter than IMSVA 7.0 concerning the use of LDAP queries when no rule contains LDAP users. You can disable LDAP for policy evaluation under the following conditions:
- The Internal Addresses list does not contain any LDAP user or group.
- No policy is making use of a LDAP user or group.
- IP Profiler is disabled.
- Edit the imss.ini file.
- Under the [policy_server] section, add the following line:
disableldap=yesIf [policy_server] section does not exist, add it at the bottom of the file including the parameter.
- Save the changes.
- Restart the following services:
- Trend Micro IMSS Scan Service
- Trend Micro IMSS Policy Service