search cancel

r12.0 SP4: Can I block or exclude specific IP addresses from connecting to my Directory?


Article ID: 50889


Updated On:


CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



CA Directory r12.0 SP4 now includes the ability to block specific IP addresses. This is incredibly useful in preventing problem servers from connecting to your Directory.


Configuring excluded addresses

To configure the exclude list, you add the " exclude-addresses " configuration command to the DSAs config files.

The command takes the following form:

set exclude-addresses = [ipv4 | ipv6] <address> [, ...];

Some command examples include:

set exclude-addresses = ipv4 ComputerHostname;
set exclude-addresses = ipv4 "";
set exclude-addresses = ipv4 "aaa.bbb.ccc.ddd";
set exclude-addresses = ipv4 Server1, Server2, Server3;
set exclude-addresses = ipv4 Server1, Server2, Server3, ipv6 "fe80::8dd3:2004:13aa:e39b%12";

Save the file, and run "dxsyntax" to confirm that the command has been specified correctly.

Once the DSA has been started, you can confirm that the DSA has loaded the configuration by connecting to the DSA's DXconsole port, and run the command "get stack;".

The output will look like:

Welcome to the DSA Management Console
dsa> get stack;
dap-psap         = ""
dsp-psap         = ""
disp-psap        = "DISP"
addresses        =
snmp-port        = 20389
console-port     = 20390
snmp-description = DXserver r12.0 (build 4457) Windows_NT/DXgrid 32-Bit
snmp-contact     = [email protected]
snmp-name        = optus
snmp-location    =
snmp-poll-community =
snmp-trap-community = public
xm-free-lists    = 0
xm-total-memory  = 2052629
 cert-dir    = config/ssld/personalities
 ca-file     = config/ssld/trusted.pem
 fips        = FALSE
 slot        = -1
exclude-addresses = aaa.bbb.ccc.ddd, aaa.bbb.ccc.dde, aaa.bbb.ccc.ddf, [fa81:0:0:1:8ea2:1001:12bb:e31b%73]

Testing excluded addresses

To test the configuration, simply use ldapsearch/dxsearch to connect to the applicable Directory server from one of the excluded addresses.

From the LDAP client (excluded address) perspective, you will see that it will fail to connect:

ldapsearch -h -p 20389 -b "o=Democorp,c=AU" -s sub "(oc=*)"
ldap_bind: Can't contact LDAP server (-1)

When connected to the DSAs DXconsole or reviewing the DSA logs, you will see a warning generated which reads:

[208] 20101119.112801.506 WARN : Call from aaa.bbb.ccc.ddd:2385 blocked by 'exclude' list


Component: ETRDIR