Hi @Bill
This is not something I work with regularly, so my knowledge is somewhat limited, but I’ll try my best 
Regarding your first question:
The X.509 Certificates on the card (for example, slot 45) contains the user certificate stored on the card. From this slot we can read out the ssh public key, and also the subject name. This is an example from a demo card I use:
maros: ~ $ pkcs15-tool --read-certificate 45 | openssl x509 -text -noout | grep "Subject:"
Using reader with a card: OMNIKEY AG 3121 USB 00 00
Subject: C = SE, CN = Fredrika Testsson21, SN = Testsson21, GN = Fredrika, serialNumber = 189104124129
From this output, we can see that the Subject Name (CN) is Fredrika Testsson21. To have the ThinLinc client to automatically connect when the smartcard is inserted, one must enable
Options → Security → Hit “Details” for Smart Card and check “Use certificate subject as login name”
Which will then use this CN as login user name:
Since this name is rarely a valid user name, one must use nss-passwdalias module to map the CN’s to valid posix usernames.
This is required if one wants to implement automatic login when the smartcard is inserted.
Secondly:
tl-ldap-certalias/LDAP is not a requirement at all. In modern systems, looking up users from different backends (ldap, AD etc.) is usually done with sssd. Of course, you will still need some method of collecting the public keys from the smart cards (i.e. pkcs15-tool --read-ssh-key ) and store it on server, in ~/user/.ssh/authorized_keys
I think a common use-case for tl-ldap-certalias is when the user certificate from the smart card is stored in a central ldap database, and you want to automatically fetch the ssh key from that ldap server and store each key in ~/user/.ssh/authorized_keys.
Kind regards,