Actually it simply turned out to be that I can set 'permissions' on ad lds directory objects without adding to the 'ForeignSecuritypPrincipals' container...
So, I just set 'perms' based on sid (few examples are below, http://greatit.wordpress.com/2012/08/13/dsacls-and-built-in-groups/ )
Examples which grant 'generic all/full control' on AD LDS obect:
dscals "\\{myadldsserver}:{port}\cn=testadldsobect,cn=test,cn=com' /g {sid}:GA
dsacls {DN} /g {domain}/{username}:GA
dsacls {DN} /g {domain}/{machinename}$:GA
Regards.