[389-users] ip address based aci

Hi all, after reading post on the lists regarding acis I was wondering what will be the preferred way to only grant access to the directory for hosts in the own network. On some comments I read that it's generally discouraged to use aci's with a "not" logic like: ip != 10.0.0.* or something like this. Does this apply to ip address based access too? My approach would be just someting like: aci: (targetattr = "*") (version 3.0;acl "Bind from special IPs only";deny (all) (ip != "192.168.100.*" and ip != "10.0.0.*);) do allow only from 192.168.100.* networks or from 10.0.0.*. As long as I understood, I have to define aci's for every base dn separately if I running multiple databases. Is there any way to define this for the whole server? Thanks and Regards Jan