I successfully connected Camunda to an OpenLDAP instance, and I was able to read users and groups. My target configuration should be a mixed one:
Users from LDAP
Groups defined locally in Camunda DB
Authorizations would then be mixed. Is it a real/meaningful/feasible situation? It appears that if you activate the LDAP plugin everything goes read-only (users and groups), so I suspect that the answer is ‘no’
The identity service provider is implemented as a Process Engine Plugin and can be added to the process engine configuration. In that case it replaces the default database identity service.
Since process engine plugins usually override the process engine configuration, it makes sense that enabling the LDAP plugin overrides the default user handling. So, unfortunately, I think there is no way of combining both ways of user handling.