For connection attempts that are able to reach the PingDirectory Server, the server itself can make decisions about whether those connections should be accepted.
The first layer of defense is at the connection handler that accepts the connection. Connection handlers offer the following configuration properties for determining which clients should be accepted and which should be rejected:
- An optional set of address masks that indicate which clients are allowed to establish connections to that connection handler. If one or more allowed-client values are defined, then only clients whose address matches one of those patterns are permitted.
- An optional set of address masks that indicate which clients are not allowed to establish connections to that connection handler. If one or more denied-client values are defined, then any connection from a client whose address matches one of those patterns are terminated.
Any values provided for the
denied-client properties should be formatted as address masks.
These address masks can take several forms, including:
- They can be raw IPv4 addresses, like
- They can be raw IPv6 addresses. These addresses can use the full hexadecimal
representation, such as
2001:fecd:ba23:cd1f:dcb1:1010:9234:4088optionally surrounded by square brackets. They can also use the shorthand notation when appropriate, such as
::1and IPv6 representations of IPv4 addresses can end with the dotted IPv4 representation, such as
- They can be IPv4 addresses that use the asterisk as a wildcard character in one or
more of the octets, such as
- They can be an IPv4 or IPv6 address using CIDR notation to indicate the number of
bits that are required to match, such as
- They can be IPv4 addresses followed by a slash and a subnet mask, such as
- They can use resolvable host names, whether complete or using asterisks as
wildcards, such as
For example, to configure the LDAP connection handler so that it only accepts client connections from the 192.168.0.0/24 subnet, you can use a change as in the following example.
dsconfig set-connection-handler-prop \ --handler-name "LDAP Connection Handler" \ --set allowed-client:192.168.0.0/24
allowed-client value of either
also achieve the same result since they are equivalent ways to express the same range of