want to set up something a little more complex, not sure how to start. (hosts authenticated against openldap server)

[Christ Schlacta]

I've currently got a single host configured to have a certificate, the 
certificate is issued on a per-host basis.  I want to somehow link a 
specific machine to a specific ssl certificate.  it's my understanding 
that openldap or mysql can do this.  I'd prefer not to use mysql as the 
mysql authentication server is already running on a separate server from 
my radius server, and I want the radius server to be self-sufficient.  
the load is low enough to sustain this, but I'd also prefer not to 
maintain 2 mysql servers separately.  ergo, mysql is a last resort 
solution.  that leaves openldap.

I should say now I'm authenticating wireless clients over wpa2 + 
eap-tls.  I'm still looking for a fairly simple "install a 
keypair+cacert on a client and it just works from then on", but I'd like 
to register in openldap that a given host (identified by some 
combination of name, mac address) is permanently tied to a given 
certificate.  If the host and certificate don't match, I'd want to get 
some sort of notification in the logs or an e-mail alert or similar.

what I don't want is for users to have to maintain any sort of 
"password" or "username" to connect to the wireless network.  we're not 
using passwords now, we don't want to add complexity to the user side.

I'm not really sure how to accomplish authorizing a certificate that's 
already passed tls authentication, but if it's possible, I know you 
folks will be able to point me to a guide or provide some input as to 
how to accomplish this.