I can check certificate username for auth? Now any user can use one certificate from another user. I set realm policy for check O=MYCOMPANY. Maybe I can check field Subject DN.CN = LDAP DN.CN ?
Does https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB24522 help? It covers configuration that restricts users to authenticating against AD/LDAP with the username (CN) on the certificate they present.