You can use connection handler allowed and denied client rules to control which hosts can make TCP connections to the server. The OpenDS connection handler is responsible for accepting connections to the server. The types of Connection Handlers and their configuration properties are presented in this section, including:
allowed-client - Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
denied-client - Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
Note - Both IPv4 and IPv6 addresses are supported.
Both the allowed-client and denied-client properties share the same syntax to perform pattern matching against IP (IPv4 or IPv6) addresses and hostnames:
IP address - The IP address of the clients to be allowed or denied can be specified in the rule. For example:
ds-cfg-denied-client: 192.168.5.6 ds-cfg-allowed-client: 2001:fecd:ba23:cd1f:dcb1:1010:9234:4088
IP address with CIDR notation - A range of IP addresses can be allowed or denied by specifying an IP address using CIDR notation . For example:
ds-cfg-denied-client: 192.168.5.6/28 ds-cfg-allowed-client: 2001:0db8:1234::/48
The first denies clients in the range 192.168.5.0 - 192.168.5.15 and the second allows clients in the range 2001:0db8:1234:0000:0000:0000:0000:0000 - 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff.
IP address with '*' notation - A range of IP addresses (IPv4 only) can be allowed or denied by specifying an IP address with a '*' character to match parts of the IP address. For example:
ds-cfg-denied-client: 192.168.5.* ds-cfg-allowed-client: 129.45.*.*
The first example denies clients with IP addresses starting with 192.168.5 and the second allows clients with IP address starting with 129.45. Notice that the second example uses multiple match characters. To allow all IP addresses to match, the rule would look like:
DNS names - Clients can be restricted by DNS name. For example to restrict clients with the host name foo.example.com, enter:
DNS names with pattern matching - This is similar to IP address pattern matching. The property can specify the '*' character to match parts of the DN name:
The property allows clients with DN names such as: foo.bar.test.com or foo.foobar.test.com. To only match DNS names ending in a suffix the property would be:
This property allows clients with DNS names such as: test.example.com or test.me.example.com.
Note - Care should be taken when using DNS properties, since the host name resolution depends on the server name service configuration.