Restricting server access using client connection policies
A client-established connection to the PingDirectory server is associated with a client connection policy. Use client connection policies to restrict the kinds of requests that the client can issue and impose resource limits for that connection.
Steps
-
Create a simple connection criteria.
Example:
The following example uses the
dsconfigtool in non-interactive mode. It allows only the PingDirectory server’s IP address and loopback to have access.$ bin/dsconfig set-connection-criteria-prop \ --criteria-name allowed-ip-addrs \ --add included-client-address:10.6.1.80 \ --add included-client-address:127.0.0.1 -
Assign the criteria to the client connection policy.
Example:
$ bin/dsconfig set-client-connection-policy-prop \ --policy-name new-policy \ --set connection-criteria:allowed-ip-addrsResult:
After you have run the command, access is denied to remote IP addresses. The PingDirectory server does not require a restart.
-
Add a remote IP range to the criteria.
For the following example, add
10.6.1.*.Example:
$ bin/dsconfig set-connection-criteria-prop \ --criteria-name allowed-ip-addrs \ --add "included-client-address:10.6.1.*"Result:
Access from any remote servers is allowed. The PingDirectory server does not require a restart.
-
To restore default behavior, remove the criteria from the connection policy.
Example:
Include the LDAP or LDAPS connection parameters, such as host name, port, bindDN, bindPassword, with the
dsconfigcommand.Example:
$ bin/dsconfig set-client-connection-policy-prop \ --policy-name new-policy --remove connection-criteria:allowed-ip-addrsResult:
The PingDirectory server does not require a restart.