Servers and workstations (clients of the LDAP server) should be configured to only use authorized keys from LDAP and not locally as they can contain multiple public keys which quickly gets harder to audit and harder to catch someone slipping a public key into the local authorized_keys.
[1] - https://serverfault.com/questions/653792/ssh-key-authenticat...