TLS Client auth and ACL's, how to map certs to ACL or LDAP-users?

[Kimmo Koivisto <kimmo.koivisto@surfeu.fi>]

Hello

My environment:
Openldap 2.2.13-2 (RHEL4) as LDAP server, let's say it's ldap.kimmo.local
Many FC3 servers, which should authenticate users against ldap using TLS 
client authentication. Servers are serverN.kimmo.local where N is the number 
from 1 to 10.

I have enrolled certs for ldap and other servers, TLS client and Server 
authentication are working okay. Servers have certs with subject C=fi, 
O=myorg, CN=serverN.kimmo.local.

I would like to give those client authenticated servers read-write access to 
the ldap, so changing passwors or adding users would be possible.

Now, without ACL's, I servers can read LDAP and thus users are able to login. 
But changing password is not working, I think because default ACL's accept 
only rootdn to write.

Questions:
1. Do I have to create "users" to the LDAP which are the servers from 1 to 10, 
for example uid=server1,ou=servers,o=myorg,c=fi. 

2. How to map TLS client authenticated server to the ACL or LDAP user names so 
I can give read-write rights to those servers. I guess ACL user names are 
always users in LDAP, rootdn is the only non-LDAP account?

I tried with the following ACL:
access to *
by self write
by users write
by anonymous auth

but no luck, cannot read or write with this ACL. 

Any ideas or pointers where to find examples or more information.
I don't have any experience from Openldap ACL's.
Regards
Kimmo Koivisto