If you want I could try working on this one.

This is a good idea, and I would like to include this into 3.1. You may give it a try. Changes need to be done come into my mind right now:

1. Add a setting to denote ldap attribute to be used as public keys into class LdapAuthenticator. It is something like existing User Email Attribute
2. Add a field into class Authenticated to include returned public keys
3. Compare existing public keys with retrieved public keys, and perform create/update/delete operations if necessary. You may refer to group syncing as an example. The code exists in class OneAuthorizingRealm

For simplicity, I'd suggest not to add special flags for public keys retrieved from LDAP. As long as an user is authenticated via LDAP, and public key retrieval attribute is specified, we can sync all the public keys of the users with LDAP. Group membership is also handled this way right now. We may improve it if there is such requirement later.

✓ I have started working on that. It will be a real handy feature.

@robin I would name the attribute User SSH Public Key with the description

Specifies name of the attributes inside the user LDAP entry whose values will be taken as user SSH public keys. If this field is set SSH public keys are managed by LDAP only

This description is very clear, 👍

See pull request #8

Since the PR is merged this one is done?

I created a psuedo commit (by editing missing-issue-fixes.md) to have this issue committed, and it will be closed when milestone 3.1 is released. Next time when merge pull request, we can use the squash merge strategy and provide a message fixing related issue.