The sole purpose for tl-ldap-certalias is to extract certificate from user object and populate authorized_keys for use as public key auth.
The problem is that certificates for a user object probably includes several certificates which only on is intended for authentication in the infrastructure.
One way to overcome this is to implement a certificate filter just like we have done on the client side which i configurable on the thinlinc server.
See client certificate filter documentation for more information:
We are reading certificates from the users' objects in the LDAP database, so it's reasonable to assume that all of them should be valid to authenticate the user. I don't think other products that use the certificates do any other filtering.