There are trade-offs with every solution though.
With LDAP, 2FA needs to be built out in each application or added via some form of LDAP proxy (I think this was discussed on GitLab or Rocket.Chat somewhere). With OAuth, the provider can handle that.
Also, OAuth only requires access via HTTP(S). I would like to use Cloudron as a single source for my identity, but that's impossible today since I can't use it as an OAuth provider or securely access LDAP from any other server.
I totally understand a preference towards LDAP, if available, but removing the option for OAuth does impose limitations.
A while back I started working towards my own workaround by building a Cloudron app that provides a VPN interface and proxy to the Cloudron LDAP server. I decided against that and to instead just host an instance of Authelia from within Cloudron, but I've since run into a wall there as well.
I'm not dead set on any particular solution, but would be great to have some mechanism to use Cloudron as SSO for all my services.