Certificate authentication only plus check LDAP attributes

[1zmbl]

Hi there,

I am trying to set up an OPNsense appliance as VPN gateway. I would like users to be able to authenticate only with a certificate from an external CA.
However, not every user with a valid certificate should be able to connect to the VPN. We have set a specific LDAP attribute that states whether a user is allowed to connet to the VPN or not.
Every certificate from that external CA contains the LDAP DN of a user as, I think, "subject name" (https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate) of the certificate.
I would like OPNsense to use that subject name from the certificate to check in LDAP if a user is allowed to connect to the VPN.

Currently, I am using the OpenVPN protocol. I found out, that u can extend a certificate authentication method by your own script by adding "tls-verify" to the OpenVPN server configuration file. Therefore, I am writing a shell script with OpenLDAP client to check the attribute.

Does anyone know if there is a better way to do this? I do not want users to additionally authenticate using their LDAP username and password. I am open to use another VPN protocol.
Are there any risks or issues with my method?