Restricting access through connection handlers
For connection attempts that are able to reach the PingDirectory server, the server itself can make decisions about whether those connections should be accepted.
The first layer of defense is at the connection handler that accepts the connection. Connection handlers offer the following configuration properties for determining which clients should be accepted and which should be rejected:
allowed-client
-
An optional set of address masks that indicate which clients are allowed to establish connections to that connection handler. If one or more allowed-client values are defined, then only clients whose address matches one of those patterns are permitted.
denied-client
-
An optional set of address masks that indicate which clients are not allowed to establish connections to that connection handler. If one or more denied-client values are defined, then any connection from a client whose address matches one of those patterns are terminated.
Any values provided for the allowed-client
and denied-client
properties should be formatted as address masks. These address masks can take several forms, including:
-
They can be raw IPv4 addresses, like
1.2.3.4
. -
They can be raw IPv6 addresses. These addresses can use the full hexadecimal representation, such as
2001:fecd:ba23:cd1f:dcb1:1010:9234:4088
optionally surrounded by square brackets. They can also use the shorthand notation when appropriate, such as::1
and IPv6 representations of IPv4 addresses can end with the dotted IPv4 representation, such as0:0:0:0:0:ffff:1.2.3.4
. -
They can be IPv4 addresses that use the asterisk as a wildcard character in one or more of the octets, such as
1.2.3.
or...*
. -
They can be an IPv4 or IPv6 address using CIDR notation to indicate the number of bits that are required to match, such as
1.2.3.0/24
or::1/128
. -
They can be IPv4 addresses followed by a slash and a subnet mask, such as
1.2.3.4/255.255.255.0
. -
They can use resolvable host names, whether complete or using asterisks as wildcards, such as
client.example.com
or*.example.com
.
For example, to configure the LDAP connection handler so that it only accepts client connections from the 192.168.0.0/24 subnet, you can use a change as in the following example.
dsconfig set-connection-handler-prop \ --handler-name "LDAP Connection Handler" \ --set allowed-client:192.168.0.0/24
Using an allowed-client
value of either 192.168.0.0/255.255.255.0
or 192.168.0.*
would also achieve the same result since they are equivalent ways to express the same range of client addresses.