If using 2FA, then after setting up an email address on the account from LDAP, it should email that with the initial 2FA code.

This would be useful.  The template would be an "item type" and could add custom fields and even conceal others.  That way you could have a "server password" type, that conceals the URL field; or a "SSL Certificate" type which conceals username but allows attached files.  This is similar to the way that Thycotic Secret Server works