Two things need to be in place, something that tells the LDAP “client” in the nextcloud snap where to look for a certificate, and the certificate itself.
- You have the certificate of the server installed on the Nextcloud server
- The certificate is announced in the system’s LDAP configuration file (usually /etc/ldap/ldap.conf)
See https://linux.die.net/man/5/ldap.conf for a deeper dive into ldap.conf/ldaprc/.ldaprc
I don’t understand what you are asking about whether the the certificate needs to be visible globally or just within the snap.
Because the certificate is a private root CA the certificate cannot be within the read only portion of the snap. The certificate will need to be “installed” (copied into place) “somewhere” which could be within the general filesystem, or persistent storge within the snap. It is possibly “cleaner” to use a ldap.conf that is part of the read only portion of the snap, and has a predefined path for the certificate to persistent storage within the snap.