I have a group of 3 machines with a single LDAP server. I needed to restrict access from outside but allow anonymous binds from within the group. I had success with access to * ... by * peername = "IP:127\.0\.0\.1" read by * peername = "IP:xxx\.yyy\.zzz\.aa[123]" read ... The "*" before peername is required!