Behavior of ssl_cert_user_specname parameter for values ssl_cert_user_specname = anonymous 
and ssl_cert_user_specname = CERTIFICATE_USER

ssl_use_cert_username only applies to those clients that has presented its identity, if the client does regardless of the user is in LDAP or locally defined in EMS, here is the rule.

1). If the client has presented its identity, then the common name in its identity must be a valid user either in LDAP or users.conf .

2). If the client does not (the EMS server must NOT have set ssl_require_client_cert to enable ) have the identity, it will still use the user name which again has to be in LDAP or users.conf.

CERTIFICATE_USER is just a place holder. In practice this would have to be set to an ACTUAL user name or anonymous. The purpose of this "ssl_cert_user_specname" property is to replace the username presented by the client with the common name from the client's certificate. 

Example:
 
Suppose ssl_cert_user_specname = anonymous
1). Client A connects as anonymous but presented its client identity with common name as test_client, then the client will effectively connect as user "test_client"

Suppose ssl_cert_user_specname = testuser

2). Client B connects as testuser but presented its client identity with common name as test_client, then the client will effectively connect as user "test_client".

Client C connect using user name testuser2 will not be effected.