Restricting server access using client connection policies - PingDirectory

Page created: 15 Jul 2022 |

Page updated: 20 Jan 2023

| 1 min read

9.2 Product PingDirectory Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience System Administrator Software Deployment Method

A client-established connection to the PingDirectory server is associated with a client connection policy. Use client connection policies to restrict the kinds of requests that the client can issue and impose resource limits for that connection.

Create a simple connection criteria.
The following example uses the dsconfig tool in non-interactive mode. It allows only the PingDirectory server’s IP address and loopback to have access.
```
$ bin/dsconfig set-connection-criteria-prop \ 
  --criteria-name allowed-ip-addrs \ 
  --add included-client-address:10.6.1.80 \ 
  --add included-client-address:127.0.0.1
```
Assign the criteria to the client connection policy.
```
$ bin/dsconfig set-client-connection-policy-prop \ 
  --policy-name new-policy \ 
  --set connection-criteria:allowed-ip-addrs
```
After you have run the command, access is denied to remote IP addresses. The PingDirectory server does not require a restart.
Add a remote IP range to the criteria.

Note:
For the following example, add 10.6.1.*.
```
$ bin/dsconfig set-connection-criteria-prop \ 
  --criteria-name allowed-ip-addrs \ 
  --add "included-client-address:10.6.1.*"
```
Access from any remote servers is allowed. The PingDirectory server does not require a restart.
To restore default behavior, remove the criteria from the connection policy.

Tip:
Include the LDAP or LDAPS connection parameters, such as host name, port, bindDN, bindPassword, with the dsconfig command.
```
$ bin/dsconfig set-client-connection-policy-prop \ 
  --policy-name new-policy --remove connection-criteria:allowed-ip-addrs
```
The PingDirectory server does not require a restart.