First, thanks for great feedback @Andy_Wismer and @izuky !
To access the feature you need a subscription.
Like on many Open Source product, connection with remote LDAP/AD is often not enabled on free version: it’s usually a feature required for companies and we hope they can pay few bucks a month to support the project 
Sadly dropbear does not have it. And to enable it on OpenSSH, I think you need a PAM module which is not present inside OpenWrt.
As an alternative, I can suggest to open SSH only from the VPN zone then use OpenVPN as first factor and SSH itself as second one.
Still, nor clean nor easy 
Yes, we hope it will be part of next major release.
Even this one is planned, but not in the upcoming months.
Maybe we can think to include first the required daemons without UI nor configuration scripts.
Already released: NethSecurity project milestone 8.3 