If LDAP is down in an LDAP environment, you cannot authenticate anyway.
Our systems people get local accounts on machines for disasters like LDAP-down. Everyone else is LDAP-only, including ssh keys.
This is nowhere close to "where we started". Now we have a handful of privileged accounts and centralized auth management across thousands of other accounts.
Centralized logging and centralized auth are pretty much mandatory above some size. Without them, you literally do not know who is doing what.
A way to work around this is to normally work with short term certificate (24h) and allow your systems people to generate longer term certificates (one month) that are stored encrypted on their laptop or usb key.
That way you get both emergency access in case LDAP is broken, as well as a way to make sure old personal access gets revoked after one month.
You can have backdoor keys for the root account that you configure during provisioning. The use of these keys/account would trigger a security alert and only be for break glass scenarios. Other situations would use LDAP stored keys for authn/authz and LDAP stored sudo rules for additional authz.
Well absolutely there has to be an alternative way in, be it serial console or a dedicated admin user who does not have keys in ldap. With sshd you would specify a local key instead of ldap for that specific user, for example
To overcome this issue, you end up storing a set of public keys in the servers themselves, thereby going back to where you started.