3.1.1.3.4.8 LDAP IP-Deny List

The IP Deny list specifies a set of IP addresses from which the DC will reject incoming LDAP connection requests. The IP Deny list is stored in the lDAPIPDenyList attribute on the queryPolicy object. The DC retrieves the lDAPIPDenyList attribute from the same queryPolicy object that it retrieves the lDAPAdminLimits attribute from in section 3.1.1.3.4.6

The lDAPIPDenyList attribute is a multivalued attribute. Each value of the attribute is a string in the following form

X.X.X.X M.M.M.M

where X.X.X.X is an IP address and M.M.M.M is a network mask. A connection from an IP address Y.Y.Y.Y will be rejected if the bitwise AND of Y.Y.Y.Y and M.M.M.M equals X.X.X.X.

For example, the value "157.59.132.0 255.255.255.0" would cause requests from IP addresses 157.59.132.0 through 157.59.132.255 to be rejected. The value "157.59.132.245 255.255.255.255" would reject only IP address 157.59.132.245.

The IP Deny list is only supported on IPv4 connections. Active Directory does not support this mechanism on IPv6 connections.