https://bugs.openldap.org/show_bug.cgi?id=10169
--- Comment #2 from Bastian bastian-bugopenldap21@t6l.de --- Thanks for you comment. I'd like to add, that our site would be very interested in this feature. Currently, we rely on the pw-totp module from contrib. And we would be very happy to convert to the supported overlay.
In our case it's a core element of the design, that there is no keyboard-interactive userPassword available during authentication. The 1FA is done by sshd pubkey authentication. The 2FA is a subsequent PAM module which does an ldap bind call against the entries beneath ou=totp.
Picking up your thought about an empty userPassword: Maybe it is possible to introduce a password schema like `{OTPONLY}` to selectively set entries in the otp only authentication mode.