Openldap ACL's (first timer)

[Craig T <sysadmin@shakenbake.net>]

Hi Openldap Experts,

I'm designing a fairly simple openldap setup for our Melbourne office, but it's my first LDAP site, so I'm kinda guessing....

LdapServer1: Centos 5.3x64 with db-4.7.25 and openldap-2.4.16 and the clients are Linux Centos 5.2.
I've already got everything working with the basic acl setup of 'access to * by * read', the challenge now is how to best secure the LDAP environment with the right acls?

Scenario 1)
We'd like to restrict members to only be able to logon at certain machines.
The concept I'm missing is, how does the LDAP protocol link the user authenticated to a hostname (machine user is sitting at)?

For example, user "cn=craig,ou=users,dc=example,dc=com" would like to log onto pc "craigpc.example.com ip:192.168.0.100".
>From my study the following acls may work?

access to dn.base="cn=craig,ou=users,dc=example,dc=com" attrs=userPassword
    by peername.regex=IP:192\.168\.0\.100 & self read
    by * none


Scenario 2)
How to setup groups (or "sets" I believe they are called) in a way where user "Craig" can be added to the "sysadmin" group and in turn get full access to all our servers. 

LDIF ENTRY:
# sysadmin, groups, teratext.saic.com.au
dn: cn=sysadmin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: teratext
member: cn=cht,ou=users,dc=example,dc=com 
member: cn=ajg,ou=users,dc=example,dc=com 


ACCESS ENTRY:
access to dn.subtree="ou=servers,dc=example,dc=com"
       by set="[cn=sysadmin,ou=groups,dc=example,dc=com]/member* & peername.regex=IP:192\.168\.0\.*" auth
       by * none

cya

Craig