Staring in CrushFTP v11, LDAP users can now be configured to utilize MFA. The typical scenario being Google Authenticator or Microsoft authenticator.

1.) Enable the checkboxes "reference local username settings during login (MFA logins)
2.) Set the create user from template username...example "ldap_template"
3.) Create a plain user named "ldap_template" in the User Manager, no password, no VFS, etc...this will be the base for users who login, and it will be duplicated with their username at login.
4.) Use whatever your username that the entire LDAP plugin is inheriting from to setup the forced config to setup the authenticator. This is the "Import settings from CrushFTP user:" at the very bottom of the LDAP configuration. Set: User Manager, WebInterface section, customizations section, Two Factor: force Google Authenticator setup.

Now at login, if their profile does not exist, the "ldap_template" is duplicated to their username.
Since they are inheriting from a user who requires "Two Factor: force Google Authenticator setup", they are then prompted to configure the authenticator setup.
Once completed, their secret key is saved into their new User Manager profile based on their username...as well as the flag indicating they must use two factor auth.
All future logins now still validate against LDAP, but reference the secret key and the fact they need two factor to authenticate.

Now your virtualized user from LDAP has an actual profile that holds minimal info, and if you so choose to, you can tweak that individual user profile further.