Generally a given connection profile (aka tunnel goup) uses one kind of authentication. (althought we can also opt to use two factor authentication - we are not considering that here).
If you want to have some users use LDAP and other users to use local authentication (username and password predefined on the ASA) then you need two separate conneciton profiles.
When I do this, I normally make the one used by the majority of users show up at the top of the drop down list by giving it a name like "1 - Employee VPN". We can then call the other something like "2 - Admin VPN".
The profile setup for LDAP authentication is described in many documents. Here is a good one from a Cisco engineer: