For connection attempts that are able to reach the PingDirectory server, the server itself can make decisions about whether those connections should be accepted.
The first layer of defense is at the connection handler that accepts the connection. Connection handlers offer the following configuration properties for determining which clients should be accepted and which should be rejected:
allowed-client
- An optional set of address masks that indicate which clients are allowed to establish connections to that connection handler. If one or more allowed-client values are defined, then only clients whose address matches one of those patterns are permitted.
denied-client
- An optional set of address masks that indicate which clients are not allowed to establish connections to that connection handler. If one or more denied-client values are defined, then any connection from a client whose address matches one of those patterns are terminated.
Any values provided for the allowed-client
and
denied-client
properties should be formatted as address masks.
These address masks can take several forms, including:
- They can be raw IPv4 addresses, like
1.2.3.4
. - They can be raw IPv6 addresses. These addresses can use the full
hexadecimal representation, such as
2001:fecd:ba23:cd1f:dcb1:1010:9234:4088
optionally surrounded by square brackets. They can also use the shorthand notation when appropriate, such as::1
and IPv6 representations of IPv4 addresses can end with the dotted IPv4 representation, such as0:0:0:0:0:ffff:1.2.3.4
. - They can be IPv4 addresses that use the asterisk as a wildcard character
in one or more of the octets, such as
1.2.3.*
or*.*.*.*
. - They can be an IPv4 or IPv6 address using CIDR notation to indicate the
number of bits that are required to match, such as
1.2.3.0/24
or::1/128
. - They can be IPv4 addresses followed by a slash and a subnet mask, such as
1.2.3.4/255.255.255.0
. - They can use resolvable host names, whether complete or using asterisks as
wildcards, such as
client.example.com
or*.example.com
.
For example, to configure the LDAP connection handler so that it only accepts client connections from the 192.168.0.0/24 subnet, you can use a change as in the following example.
dsconfig set-connection-handler-prop \
--handler-name "LDAP Connection Handler" \
--set allowed-client:192.168.0.0/24
Using an allowed-client
value of either
192.168.0.0/255.255.255.0
or 192.168.0.*
would
also achieve the same result since they are equivalent ways to express the same range of
client addresses.