Hi
yes, you can use certificate authentication with LDAP authorization and use either the LDAP MAP or DAP to apply settings based on LDAP attributes (e.g. memberOf).
You may need a feature known as "username-from-certificate" that you can use to specify which field in the certificate the ASA should consider to be the username to send to the LDAP server.
Note that this is not considered 2-factor authentication, since you only use the certificate for authentication, the LDAP lookup is doing authorization only.
If you want to do real 2-factor authentication then you can still use the username-from-certificate feature to pre-fill the username in the login screen, so the user only needs to enter his password.
hth
Herbert