Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not?
I'd like to do an ACL such as

to attrs=userPassword
by peername.ip="1.2.3.0%255.255.255.0" auth
by client_ssf="64" auth

Also set olcTLSVerifyClient=try

This will let our internal network authenticate against ldap without needing a client cert, but anyone outside our internal network must have one. We would then use our own CA to create certificates for all the clients and tell OpenLDAP to trust only that CA.
Obviously client_ssf doesnt exist, but is there another way of accomplishing this goal?

-Patrick