Yes! Just set up both - LDAP and SSO. In such configuration users will be authenticated with SSO and authorized based on LDAP groups membership.
To achieve that:
On Single sign-on configuration, disable "Assign users to groups based on SAML 2.0 response attribute" option.
On User groups, configure matching of group name and LDAP group name.
Hope this helps!