It's worth noting that it's safer to use Kerberos for the actual authentication part over LDAP and/or NTLM. In the event of the servers being hacked, you avoid leaking your password (but may leak some form of ticket, of course). Using LDAP to store the account details and authorization data (so you can create user accounts at first login) is fine though.