The ip keyword is used to specify that a bind operation must originate from a specific IP address. The ip keyword uses this syntax:
ip = "IPaddressList" or ip != "IPaddressList"
The IPaddressList value is a list of one or more comma-separated elements from the following elements:
A specific IPv4 address: 123.45.6.7
An IPv4 address with wild cards to specify a subnetwork: 12.3.45.*
An IPv4 address or subnetwork with subnetwork mask: 123.45.6.*+255.255.255.192
An IPv6 address in any of its legal forms and contained in square brackets [ and ], as defined by RFC 2373and RFC 2732.
The following addresses are equivalent:
ldap://[12AB:0000:0000:CD30:0000:0000:0000:0000]
ldap://[12AB::CD30:0:0:0:0]
ldap://[12AB:0:0:CD30::]
An IPv6 address with a subnet prefix length: ldap://[12AB::CD30:0:0:0:0]/60
The bind rule is evaluated to be true if the client accessing the directory is located at the named IP address.
The ip keyword can be used to force all directory updates to occur from a given machine or network domain. However, the IP address from which a user authenticates can be spoofed, and can therefore not be trusted. Do not base ACIs on this information alone.
The wild card * can be used to specify a set of IP addresses.