Keycloak. Took me a bit to learn the basics, but it has been way easier to troubleshoot than Authentik and has more features. If you need something that mimics LDAP rather than syncing with an existing LDAP, then Authentik is pretty good. I don’t use LDAP, though.
If you want to keep your LDAP as the source of truth, then Keycloak is also a very good option. I did that originally, but decided I only had a couple of things needing LDAP and that wasn’t worth keeping it around. Authentik was a good way to emulate an LDAP but with a different back end. But Keycloak is definitely my recommendation in your case.