Associate a specific certificate to a specific local user with OpenVPN

Set up:

OpenVPN 2.3 on centos server. Multiple clients (windows, osx, linux). Encyrption using certificates PER device (easy-rsa), and added authentication using the openvpn-plugin-auth-pam.so module (username/password). I am also password protecting the private keys.

Problem:

Anyone connecting with any of the valid certificates can authenticate with ANY of the local users. The problem with this is that some clients may end up using a very weak password that is vulnerable to brute force attacks. I know I can simply just restrict the shit out of the client users as a protection to this type of intrusion, however I would rather not be limited to this

What I want:

I would like each local user to be associated/tied to a specific certificate. That way, if Bob's credentials become compromised, and a different user Alice has a very weak password, then the attacker using Bob's credentials cannot brute force via user Alice.

How can this be done?

I fully realize that this is "paranoid" security, however it is a feature I believe should be available. Of course, if associating a cert to a local user is NOT the best and most efficient way, then feel free to suggest an alternative that would accomplish the same goal (i.e. a holder of a specific cert can only authenticate against a specific local user).

Thanks.