ldap users cannot be purged from the DB if they own objects (vapps, networks, etc).
for Kerberos authentication, you typically use the 'userPrincipalName' value of the system (testuser@domain.com) ... not sAMAccountName (testuser).
This is because you need to dictate a kerberos realm when logging in, and the userPrincipalName has that and sAMAccountName does not.
You'll also notice this switch in teh LDAP schema in the config page when you switch between Kerberos and non-Kerberos.